Some questions about USB fuzzing
60 views
Skip to first unread message
chase xd
Dec 1, 2022, 9:48:29 AM12/1/22
to andre...@google.com, syzk...@googlegroups.com
Hi Andrey,
Nowadays I've been looking into the USB part in Syzkaller and I find some points a bit confusing to me, hope you could clarify that for me.
1. If I understand correctly, what the pseudosyscalls do, take `syz_usb_ep_write` for example, is constructing a IO request and adding into queue of one endpoint. When enabling dummy_hcd, the information in this request will be directly memcpyed into one URB constructed by dummy HCD, and the dummy HCD send this URB to higher levels in host side (core and target drivers). So how can this not contradict with the whole host-slave procotol stack? As in, how can a gadget send something to host when the host simply not asks for?
2. Considering many years passed since syzkaller supporting USB fuzz, would it be meaningful to implement isochronous URB support in dummy_hcd? If it is indeed, what's the difficulties you think will encounter and will syz-executor need to be tailored to adapt this support?
Thanks in advance!
Best regards,
Xdchase
Andrey Konovalov
Dec 2, 2022, 6:29:10 PM12/2/22
to chase xd, andre...@google.com, syzk...@googlegroups.com
On Thu, Dec 1, 2022 at 3:48 PM chase xd <sl1589...@gmail.com> wrote:
>
> Hi Andrey,
Hi Chase,
> Nowadays I've been looking into the USB part in Syzkaller and I find some points a bit confusing to me, hope you could clarify that for me.
>
> 1. If I understand correctly, what the pseudosyscalls do, take `syz_usb_ep_write` for example, is constructing a IO request and adding into queue of one endpoint. When enabling dummy_hcd, the information in this request will be directly memcpyed into one URB constructed by dummy HCD, and the dummy HCD send this URB to higher levels in host side (core and target drivers). So how can this not contradict with the whole host-slave procotol stack? As in, how can a gadget send something to host when the host simply not asks for?
This host-device thing is only an issue for control endpoints: there,
the host can send different types of requests and the device must
react accordingly. Thus, the syz_usb_connect pseudo-syscall.
For non-control endpoints, the host just keeps requesting data, so
there's always a queued request on the device side. syz_usb_ep_write
sends a response to this request.
> 2. Considering many years passed since syzkaller supporting USB fuzz, would it be meaningful to implement isochronous URB support in dummy_hcd? If it is indeed, what's the difficulties you think will encounter and will syz-executor need to be tailored to adapt this support?
Sure, adding support for isochronous endpoints will allow fuzzing
audio/video devices and thus will certainly uncover new bugs.
I've never worked with isochronous endpoints, so I don't know how
difficult it would be to support them in Dummy HCD, Raw Gadget, and
syzkaller.
Thanks!
>
> Hi Andrey,
Hi Chase,
> Nowadays I've been looking into the USB part in Syzkaller and I find some points a bit confusing to me, hope you could clarify that for me.
>
> 1. If I understand correctly, what the pseudosyscalls do, take `syz_usb_ep_write` for example, is constructing a IO request and adding into queue of one endpoint. When enabling dummy_hcd, the information in this request will be directly memcpyed into one URB constructed by dummy HCD, and the dummy HCD send this URB to higher levels in host side (core and target drivers). So how can this not contradict with the whole host-slave procotol stack? As in, how can a gadget send something to host when the host simply not asks for?
the host can send different types of requests and the device must
react accordingly. Thus, the syz_usb_connect pseudo-syscall.
For non-control endpoints, the host just keeps requesting data, so
there's always a queued request on the device side. syz_usb_ep_write
sends a response to this request.
> 2. Considering many years passed since syzkaller supporting USB fuzz, would it be meaningful to implement isochronous URB support in dummy_hcd? If it is indeed, what's the difficulties you think will encounter and will syz-executor need to be tailored to adapt this support?
audio/video devices and thus will certainly uncover new bugs.
I've never worked with isochronous endpoints, so I don't know how
difficult it would be to support them in Dummy HCD, Raw Gadget, and
syzkaller.
Thanks!
Reply all
Reply to author
Forward
0 new messages