Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
sys/linux: extract USB HID ids (#1294)
* sys/linux: extract USB HID ids

As it turns out the HID kernel subsystem registers only one USB driver that
checks that the interface of the connected device has HID class and then looks
up its own list of vendor/device ids to find a matching driver. This means
that we currently don't generate proper vendor/device ids for USB HID devices.

This patch updates the syz-usbgen tool to also extract USB HID vendor/device
ids from a running kernel and makes the generated descriptions for HID devices
to be patched using the extracted ids.

This patch also contains some minor improvements to USB descriptions
(better HID descriptions and more replies for some USB classes/drivers).

* sys/linux: run make generate
  • Loading branch information
xairy committed Jul 22, 2019
1 parent 6a786da commit 55e0c07
Show file tree
Hide file tree
Showing 17 changed files with 1,867 additions and 420 deletions.
10 changes: 5 additions & 5 deletions executor/defs.h
Expand Up @@ -70,7 +70,7 @@

#if GOARCH_386
#define GOARCH "386"
#define SYZ_REVISION "1bc0fa9f7861ff91d569dcf8ba650d737652afab"
#define SYZ_REVISION "abf775e79eb587f356d2e4185f389e7c85b39dbd"
#define SYZ_EXECUTOR_USES_FORK_SERVER 1
#define SYZ_EXECUTOR_USES_SHMEM 1
#define SYZ_PAGE_SIZE 4096
Expand All @@ -80,7 +80,7 @@

#if GOARCH_amd64
#define GOARCH "amd64"
#define SYZ_REVISION "9ca635816b59c55b8f7d9aa6abe52088a4cc64ea"
#define SYZ_REVISION "3b91569fc90e0cdabd6fba3c5e67788d63e3c523"
#define SYZ_EXECUTOR_USES_FORK_SERVER 1
#define SYZ_EXECUTOR_USES_SHMEM 1
#define SYZ_PAGE_SIZE 4096
Expand All @@ -90,7 +90,7 @@

#if GOARCH_arm
#define GOARCH "arm"
#define SYZ_REVISION "cff0433ff8043192fac9e969c584db0c17598e63"
#define SYZ_REVISION "f96baee65093845b4b1a678cd8aa38b95e3b0372"
#define SYZ_EXECUTOR_USES_FORK_SERVER 1
#define SYZ_EXECUTOR_USES_SHMEM 1
#define SYZ_PAGE_SIZE 4096
Expand All @@ -100,7 +100,7 @@

#if GOARCH_arm64
#define GOARCH "arm64"
#define SYZ_REVISION "b66ad52635de8aacc57393a6f483c52c32386027"
#define SYZ_REVISION "5307034b0db8d1657d4ddcdab7db939d9ab16c14"
#define SYZ_EXECUTOR_USES_FORK_SERVER 1
#define SYZ_EXECUTOR_USES_SHMEM 1
#define SYZ_PAGE_SIZE 4096
Expand All @@ -110,7 +110,7 @@

#if GOARCH_ppc64le
#define GOARCH "ppc64le"
#define SYZ_REVISION "e26f6705a451d4be0e383459b6c7950eed5820f9"
#define SYZ_REVISION "e5b063cf52a1846e567817a2871dc574193113d9"
#define SYZ_EXECUTOR_USES_FORK_SERVER 1
#define SYZ_EXECUTOR_USES_SHMEM 1
#define SYZ_PAGE_SIZE 4096
Expand Down
281 changes: 214 additions & 67 deletions sys/linux/gen/386.go

Large diffs are not rendered by default.

281 changes: 214 additions & 67 deletions sys/linux/gen/amd64.go

Large diffs are not rendered by default.

281 changes: 214 additions & 67 deletions sys/linux/gen/arm.go

Large diffs are not rendered by default.

281 changes: 214 additions & 67 deletions sys/linux/gen/arm64.go

Large diffs are not rendered by default.

281 changes: 214 additions & 67 deletions sys/linux/gen/ppc64le.go

Large diffs are not rendered by default.

25 changes: 13 additions & 12 deletions sys/linux/init.go
Expand Up @@ -50,18 +50,19 @@ func InitTarget(target *prog.Target) {
target.SanitizeCall = arch.sanitizeCall
target.SpecialTypes = map[string]func(g *prog.Gen, typ prog.Type, old prog.Arg) (
prog.Arg, []*prog.Call){
"timespec": arch.generateTimespec,
"timeval": arch.generateTimespec,
"sockaddr_alg": arch.generateSockaddrAlg,
"alg_name": arch.generateAlgName,
"alg_aead_name": arch.generateAlgAeadName,
"alg_hash_name": arch.generateAlgHashName,
"alg_blkcipher_name": arch.generateAlgBlkcipherhName,
"ipt_replace": arch.generateIptables,
"ip6t_replace": arch.generateIptables,
"arpt_replace": arch.generateArptables,
"ebt_replace": arch.generateEbtables,
"usb_device_descriptor": arch.generateUsbDeviceDescriptor,
"timespec": arch.generateTimespec,
"timeval": arch.generateTimespec,
"sockaddr_alg": arch.generateSockaddrAlg,
"alg_name": arch.generateAlgName,
"alg_aead_name": arch.generateAlgAeadName,
"alg_hash_name": arch.generateAlgHashName,
"alg_blkcipher_name": arch.generateAlgBlkcipherhName,
"ipt_replace": arch.generateIptables,
"ip6t_replace": arch.generateIptables,
"arpt_replace": arch.generateArptables,
"ebt_replace": arch.generateEbtables,
"usb_device_descriptor": arch.generateUsbDeviceDescriptor,
"usb_device_descriptor_hid": arch.generateUsbHidDeviceDescriptor,
}
// TODO(dvyukov): get rid of this, this must be in descriptions.
target.StringDictionary = []string{
Expand Down
38 changes: 38 additions & 0 deletions sys/linux/init_vusb.go
Expand Up @@ -25,6 +25,7 @@ const (
USB_DEVICE_ID_MATCH_INT_NUMBER

BytesPerUsbID = 17
BytesPerHidID = 12
)

type UsbDeviceID struct {
Expand All @@ -42,6 +43,13 @@ type UsbDeviceID struct {
BInterfaceNumber uint8
}

type HidDeviceID struct {
Bus uint16
Group uint16
Vendor uint32
Product uint32
}

func (arch *arch) generateUsbDeviceDescriptor(g *prog.Gen, typ0 prog.Type, old prog.Arg) (
arg prog.Arg, calls []*prog.Call) {

Expand Down Expand Up @@ -119,6 +127,36 @@ func (arch *arch) generateUsbDeviceDescriptor(g *prog.Gen, typ0 prog.Type, old p
return
}

func (arch *arch) generateUsbHidDeviceDescriptor(g *prog.Gen, typ0 prog.Type, old prog.Arg) (
arg prog.Arg, calls []*prog.Call) {

if old == nil {
arg = g.GenerateSpecialArg(typ0, &calls)
} else {
arg = old
calls = g.MutateArg(arg)
}
if g.Target().ArgContainsAny(arg) {
return
}

totalIds := len(hidIds) / BytesPerHidID
idNum := g.Rand().Intn(totalIds)
base := hidIds[idNum*BytesPerHidID : (idNum+1)*BytesPerHidID]

p := strings.NewReader(base)
var id HidDeviceID
if binary.Read(p, binary.LittleEndian, &id) != nil {
panic("not enough data to read")
}

devArg := arg.(*prog.GroupArg).Inner[0]
patchGroupArg(devArg, 7, "idVendor", uint64(id.Vendor))
patchGroupArg(devArg, 8, "idProduct", uint64(id.Product))

return
}

func patchGroupArg(arg prog.Arg, index int, field string, value uint64) {
fieldArg := arg.(*prog.GroupArg).Inner[index].(*prog.ConstArg)
if fieldArg.Type().FieldName() != field {
Expand Down

0 comments on commit 55e0c07

Please sign in to comment.