// https://syzkaller.appspot.com/bug?id=4c4fdb6bcaf084aa86420e29517ee2ad96bd64a6
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
#include <linux/futex.h>
#include <linux/if_addr.h>
#include <linux/if_ether.h>
#include <linux/if_link.h>
#include <linux/if_tun.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/tcp.h>
#include <linux/usb/ch9.h>
#include <linux/veth.h>
unsigned long long procid;
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i;
for (i = 0; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static struct {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[1024];
} nlmsg;
static void netlink_init(int typ, int flags, const void* data, int size)
{
memset(&nlmsg, 0, sizeof(nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(int typ, const void* data, int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
memcpy(attr + 1, data, size);
nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
}
static void netlink_nest(int typ)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_type = typ;
nlmsg.pos += sizeof(*attr);
nlmsg.nested[nlmsg.nesting++] = attr;
}
static void netlink_done(void)
{
struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
attr->nla_len = nlmsg.pos - (char*)attr;
}
static int netlink_send(int sock)
{
if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != hdr->nlmsg_len)
exit(1);
n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
exit(1);
if (hdr->nlmsg_type != NLMSG_ERROR)
exit(1);
return -((struct nlmsgerr*)(hdr + 1))->error;
}
static void netlink_add_device_impl(const char* type, const char* name)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
if (name)
netlink_attr(IFLA_IFNAME, name, strlen(name));
netlink_nest(IFLA_LINKINFO);
netlink_attr(IFLA_INFO_KIND, type, strlen(type));
}
static void netlink_add_device(int sock, const char* type, const char* name)
{
netlink_add_device_impl(type, name);
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_veth(int sock, const char* name, const char* peer)
{
netlink_add_device_impl("veth", name);
netlink_nest(IFLA_INFO_DATA);
netlink_nest(VETH_INFO_PEER);
nlmsg.pos += sizeof(struct ifinfomsg);
netlink_attr(IFLA_IFNAME, peer, strlen(peer));
netlink_done();
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_hsr(int sock, const char* name, const char* slave1,
const char* slave2)
{
netlink_add_device_impl("hsr", name);
netlink_nest(IFLA_INFO_DATA);
int ifindex1 = if_nametoindex(slave1);
netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
int ifindex2 = if_nametoindex(slave2);
netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_device_change(int sock, const char* name, bool up,
const char* master, const void* mac,
int macsize)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(IFLA_IFNAME, name, strlen(name));
if (master) {
int ifindex = if_nametoindex(master);
netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
}
if (macsize)
netlink_attr(IFLA_ADDRESS, mac, macsize);
int err = netlink_send(sock);
(void)err;
}
static int netlink_add_addr(int sock, const char* dev, const void* addr,
int addrsize)
{
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
netlink_attr(IFA_LOCAL, addr, addrsize);
netlink_attr(IFA_ADDRESS, addr, addrsize);
return netlink_send(sock);
}
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
(void)err;
}
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
(void)err;
}
#define DEV_IPV4 "172.20.20.%d"
#define DEV_IPV6 "fe80::%02x"
#define DEV_MAC 0x00aaaaaaaaaa
static void initialize_netdevices(void)
{
char netdevsim[16];
sprintf(netdevsim, "netdevsim%d", (int)procid);
struct {
const char* type;
const char* dev;
} devtypes[] = {
{"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
{"vcan", "vcan0"}, {"bond", "bond0"},
{"team", "team0"}, {"dummy", "dummy0"},
{"nlmon", "nlmon0"}, {"caif", "caif0"},
{"batadv", "batadv0"}, {"vxcan", "vxcan1"},
{"netdevsim", netdevsim}, {"veth", 0},
};
const char* devmasters[] = {"bridge", "bond", "team"};
struct {
const char* name;
int macsize;
bool noipv6;
} devices[] = {
{"lo", ETH_ALEN},
{"sit0", 0},
{"bridge0", ETH_ALEN},
{"vcan0", 0, true},
{"tunl0", 0},
{"gre0", 0},
{"gretap0", ETH_ALEN},
{"ip_vti0", 0},
{"ip6_vti0", 0},
{"ip6tnl0", 0},
{"ip6gre0", 0},
{"ip6gretap0", ETH_ALEN},
{"erspan0", ETH_ALEN},
{"bond0", ETH_ALEN},
{"veth0", ETH_ALEN},
{"veth1", ETH_ALEN},
{"team0", ETH_ALEN},
{"veth0_to_bridge", ETH_ALEN},
{"veth1_to_bridge", ETH_ALEN},
{"veth0_to_bond", ETH_ALEN},
{"veth1_to_bond", ETH_ALEN},
{"veth0_to_team", ETH_ALEN},
{"veth1_to_team", ETH_ALEN},
{"veth0_to_hsr", ETH_ALEN},
{"veth1_to_hsr", ETH_ALEN},
{"hsr0", 0},
{"dummy0", ETH_ALEN},
{"nlmon0", 0},
{"vxcan1", 0, true},
{"caif0", ETH_ALEN},
{"batadv0", ETH_ALEN},
{netdevsim, ETH_ALEN},
};
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
sprintf(slave0, "%s_slave_0", devmasters[i]);
sprintf(veth0, "veth0_to_%s", devmasters[i]);
netlink_add_veth(sock, slave0, veth0);
sprintf(slave1, "%s_slave_1", devmasters[i]);
sprintf(veth1, "veth1_to_%s", devmasters[i]);
netlink_add_veth(sock, slave1, veth1);
sprintf(master, "%s0", devmasters[i]);
netlink_device_change(sock, slave0, false, master, 0, 0);
netlink_device_change(sock, slave1, false, master, 0, 0);
}
netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
char addr[32];
sprintf(addr, DEV_IPV4, i + 10);
netlink_add_addr4(sock, devices[i].name, addr);
if (!devices[i].noipv6) {
sprintf(addr, DEV_IPV6, i + 10);
netlink_add_addr6(sock, devices[i].name, addr);
}
uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
devices[i].macsize);
}
close(sock);
}
static void initialize_netdevices_init(void)
{
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
struct {
const char* type;
int macsize;
bool noipv6;
bool noup;
} devtypes[] = {
{"nr", 7, true}, {"rose", 5, true, true},
};
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
char dev[32], addr[32];
sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
netlink_add_addr4(sock, dev, addr);
if (!devtypes[i].noipv6) {
sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
netlink_add_addr6(sock, dev, addr);
}
int macsize = devtypes[i].macsize;
uint64_t macaddr = 0xbbbbbb +
((unsigned long long)i << (8 * (macsize - 2))) +
(procid << (8 * (macsize - 1)));
netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
}
close(sock);
}
#define USB_DEBUG 0
#define USB_MAX_IFACE_NUM 4
#define USB_MAX_EP_NUM 32
struct usb_iface_index {
struct usb_interface_descriptor* iface;
struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM];
unsigned eps_num;
};
struct usb_device_index {
struct usb_device_descriptor* dev;
struct usb_config_descriptor* config;
unsigned config_length;
struct usb_iface_index ifaces[USB_MAX_IFACE_NUM];
unsigned ifaces_num;
};
static bool parse_usb_descriptor(char* buffer, size_t length,
struct usb_device_index* index)
{
if (length < sizeof(*index->dev) + sizeof(*index->config))
return false;
memset(index, 0, sizeof(*index));
index->dev = (struct usb_device_descriptor*)buffer;
index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev));
index->config_length = length - sizeof(*index->dev);
size_t offset = 0;
while (true) {
if (offset + 1 >= length)
break;
uint8_t desc_length = buffer[offset];
uint8_t desc_type = buffer[offset + 1];
if (desc_length <= 2)
break;
if (offset + desc_length > length)
break;
if (desc_type == USB_DT_INTERFACE &&
index->ifaces_num < USB_MAX_IFACE_NUM) {
struct usb_interface_descriptor* iface =
(struct usb_interface_descriptor*)(buffer + offset);
index->ifaces[index->ifaces_num++].iface = iface;
}
if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) {
struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1];
if (iface->eps_num < USB_MAX_EP_NUM)
iface->eps[iface->eps_num++] =
(struct usb_endpoint_descriptor*)(buffer + offset);
}
offset += desc_length;
}
return true;
}
enum usb_fuzzer_event_type {
USB_FUZZER_EVENT_INVALID,
USB_FUZZER_EVENT_CONNECT,
USB_FUZZER_EVENT_DISCONNECT,
USB_FUZZER_EVENT_SUSPEND,
USB_FUZZER_EVENT_RESUME,
USB_FUZZER_EVENT_CONTROL,
};
struct usb_fuzzer_event {
uint32_t type;
uint32_t length;
char data[0];
};
struct usb_fuzzer_init {
uint64_t speed;
const char* driver_name;
const char* device_name;
};
struct usb_fuzzer_ep_io {
uint16_t ep;
uint16_t flags;
uint32_t length;
char data[0];
};
#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t)
int usb_fuzzer_open()
{
return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
}
int usb_fuzzer_init(int fd, uint32_t speed, const char* driver,
const char* device)
{
struct usb_fuzzer_init arg;
arg.speed = speed;
arg.driver_name = driver;
arg.device_name = device;
return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
}
int usb_fuzzer_run(int fd)
{
return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
}
int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event)
{
return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
}
int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
}
int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
}
int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
}
int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io);
}
int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
{
return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
}
int usb_fuzzer_configure(int fd)
{
return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
}
int usb_fuzzer_vbus_draw(int fd, uint32_t power)
{
return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
}
#define USB_MAX_PACKET_SIZE 1024
struct usb_fuzzer_control_event {
struct usb_fuzzer_event inner;
struct usb_ctrlrequest ctrl;
char data[USB_MAX_PACKET_SIZE];
};
struct usb_fuzzer_ep_io_data {
struct usb_fuzzer_ep_io inner;
char data[USB_MAX_PACKET_SIZE];
};
struct vusb_connect_string_descriptor {
uint32_t len;
char* str;
} __attribute__((packed));
struct vusb_connect_descriptors {
uint32_t qual_len;
char* qual;
uint32_t bos_len;
char* bos;
uint32_t strs_len;
struct vusb_connect_string_descriptor strs[0];
} __attribute__((packed));
static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0};
static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04};
static bool lookup_connect_response(struct vusb_connect_descriptors* descs,
struct usb_device_index* index,
struct usb_ctrlrequest* ctrl,
char** response_data,
uint32_t* response_length)
{
uint8_t str_idx;
switch (ctrl->bRequestType & USB_TYPE_MASK) {
case USB_TYPE_STANDARD:
switch (ctrl->bRequest) {
case USB_REQ_GET_DESCRIPTOR:
switch (ctrl->wValue >> 8) {
case USB_DT_DEVICE:
*response_data = (char*)index->dev;
*response_length = sizeof(*index->dev);
return true;
case USB_DT_CONFIG:
*response_data = (char*)index->config;
*response_length = index->config_length;
return true;
case USB_DT_STRING:
str_idx = (uint8_t)ctrl->wValue;
if (descs && str_idx < descs->strs_len) {
*response_data = descs->strs[str_idx].str;
*response_length = descs->strs[str_idx].len;
return true;
}
if (str_idx == 0) {
*response_data = (char*)&default_lang_id[0];
*response_length = default_lang_id[0];
return true;
}
*response_data = (char*)&default_string[0];
*response_length = default_string[0];
return true;
case USB_DT_BOS:
*response_data = descs->bos;
*response_length = descs->bos_len;
return true;
case USB_DT_DEVICE_QUALIFIER:
if (!descs->qual) {
struct usb_qualifier_descriptor* qual =
(struct usb_qualifier_descriptor*)response_data;
qual->bLength = sizeof(*qual);
qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER;
qual->bcdUSB = index->dev->bcdUSB;
qual->bDeviceClass = index->dev->bDeviceClass;
qual->bDeviceSubClass = index->dev->bDeviceSubClass;
qual->bDeviceProtocol = index->dev->bDeviceProtocol;
qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0;
qual->bNumConfigurations = index->dev->bNumConfigurations;
qual->bRESERVED = 0;
*response_length = sizeof(*qual);
return true;
}
*response_data = descs->qual;
*response_length = descs->qual_len;
return true;
default:
exit(1);
return false;
}
break;
default:
exit(1);
return false;
}
break;
default:
exit(1);
return false;
}
return false;
}
static volatile long syz_usb_connect(volatile long a0, volatile long a1,
volatile long a2, volatile long a3)
{
uint64_t speed = a0;
uint64_t dev_len = a1;
char* dev = (char*)a2;
struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3;
if (!dev) {
return -1;
}
struct usb_device_index index;
memset(&index, 0, sizeof(index));
int rv = 0;
rv = parse_usb_descriptor(dev, dev_len, &index);
if (!rv) {
return rv;
}
int fd = usb_fuzzer_open();
if (fd < 0) {
return fd;
}
char device[32];
sprintf(&device[0], "dummy_udc.%llu", procid);
rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
if (rv < 0) {
return rv;
}
rv = usb_fuzzer_run(fd);
if (rv < 0) {
return rv;
}
bool done = false;
while (!done) {
struct usb_fuzzer_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
if (rv < 0) {
return rv;
}
if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
continue;
bool response_found = false;
char* response_data = NULL;
uint32_t response_length = 0;
if (event.ctrl.bRequestType & USB_DIR_IN) {
response_found = lookup_connect_response(
descs, &index, &event.ctrl, &response_data, &response_length);
if (!response_found) {
return -1;
}
} else {
if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD ||
event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) {
exit(1);
return -1;
}
done = true;
}
if (done) {
rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower);
if (rv < 0) {
return rv;
}
rv = usb_fuzzer_configure(fd);
if (rv < 0) {
return rv;
}
unsigned ep;
for (ep = 0; ep < index.ifaces[0].eps_num; ep++) {
rv = usb_fuzzer_ep_enable(fd, index.ifaces[0].eps[ep]);
if (rv < 0) {
} else {
}
}
}
struct usb_fuzzer_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
response_length = 0;
if (event.ctrl.wLength < response_length)
response_length = event.ctrl.wLength;
response.inner.length = response_length;
if (response_data)
memcpy(&response.data[0], response_data, response_length);
else
memset(&response.data[0], 0, response_length);
if (event.ctrl.bRequestType & USB_DIR_IN) {
rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
} else {
rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
}
if (rv < 0) {
return rv;
}
}
sleep_ms(200);
return fd;
}
struct vusb_descriptor {
uint8_t req_type;
uint8_t desc_type;
uint32_t len;
char data[0];
} __attribute__((packed));
struct vusb_descriptors {
uint32_t len;
struct vusb_descriptor* generic;
struct vusb_descriptor* descs[0];
} __attribute__((packed));
struct vusb_response {
uint8_t type;
uint8_t req;
uint32_t len;
char data[0];
} __attribute__((packed));
struct vusb_responses {
uint32_t len;
struct vusb_response* generic;
struct vusb_response* resps[0];
} __attribute__((packed));
static bool lookup_control_response(struct vusb_descriptors* descs,
struct vusb_responses* resps,
struct usb_ctrlrequest* ctrl,
char** response_data,
uint32_t* response_length)
{
int descs_num = 0;
int resps_num = 0;
if (descs)
descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) /
sizeof(descs->descs[0]);
if (resps)
resps_num = (resps->len - offsetof(struct vusb_responses, resps)) /
sizeof(resps->resps[0]);
uint8_t req = ctrl->bRequest;
uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK;
uint8_t desc_type = ctrl->wValue >> 8;
if (req == USB_REQ_GET_DESCRIPTOR) {
int i;
for (i = 0; i < descs_num; i++) {
struct vusb_descriptor* desc = descs->descs[i];
if (!desc)
continue;
if (desc->req_type == req_type && desc->desc_type == desc_type) {
*response_length = desc->len;
if (*response_length != 0)
*response_data = &desc->data[0];
else
*response_data = NULL;
return true;
}
}
if (descs && descs->generic) {
*response_data = &descs->generic->data[0];
*response_length = descs->generic->len;
return true;
}
} else {
int i;
for (i = 0; i < resps_num; i++) {
struct vusb_response* resp = resps->resps[i];
if (!resp)
continue;
if (resp->type == req_type && resp->req == req) {
*response_length = resp->len;
if (*response_length != 0)
*response_data = &resp->data[0];
else
*response_data = NULL;
return true;
}
}
if (resps && resps->generic) {
*response_data = &resps->generic->data[0];
*response_length = resps->generic->len;
return true;
}
}
return false;
}
static volatile long syz_usb_control_io(volatile long a0, volatile long a1,
volatile long a2)
{
int fd = a0;
struct vusb_descriptors* descs = (struct vusb_descriptors*)a1;
struct vusb_responses* resps = (struct vusb_responses*)a2;
struct usb_fuzzer_control_event event;
event.inner.type = 0;
event.inner.length = USB_MAX_PACKET_SIZE;
int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
if (rv < 0) {
return rv;
}
if (event.inner.type != USB_FUZZER_EVENT_CONTROL) {
return -1;
}
bool response_found = false;
char* response_data = NULL;
uint32_t response_length = 0;
if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) {
response_found = lookup_control_response(descs, resps, &event.ctrl,
&response_data, &response_length);
if (!response_found) {
return -1;
}
} else {
response_length = event.ctrl.wLength;
}
struct usb_fuzzer_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
response_length = 0;
if (event.ctrl.wLength < response_length)
response_length = event.ctrl.wLength;
if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) {
response_length = USB_MAX_PACKET_SIZE;
}
response.inner.length = response_length;
if (response_data)
memcpy(&response.data[0], response_data, response_length);
else
memset(&response.data[0], 0, response_length);
if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) {
rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
} else {
rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
}
if (rv < 0) {
return rv;
}
sleep_ms(200);
return 0;
}
static volatile long syz_usb_disconnect(volatile long a0)
{
int fd = a0;
int rv = close(fd);
sleep_ms(200);
return rv;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
(uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
initialize_netdevices_init();
if (unshare(CLONE_NEWNET)) {
}
initialize_netdevices();
loop();
exit(1);
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
int i;
for (i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void close_fds()
{
int fd;
for (fd = 3; fd < 30; fd++)
close(fd);
}
static void setup_binfmt_misc()
{
if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
}
write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:");
write_file("/proc/sys/fs/binfmt_misc/register",
":syz1:M:1:\x02::./file0:POC");
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
int collide = 0;
again:
for (call = 0; call < 6; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (collide && (call % 2) == 0)
break;
event_timedwait(&th->done,
45 + (call == 0 ? 2000 : 0) + (call == 1 ? 300 : 0) +
(call == 2 ? 2000 : 0) + (call == 3 ? 300 : 0));
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
close_fds();
if (!collide) {
collide = 1;
goto again;
}
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter;
for (iter = 0;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5 * 1000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res;
switch (call) {
case 0:
*(uint8_t*)0x20000000 = 0x12;
*(uint8_t*)0x20000001 = 1;
*(uint16_t*)0x20000002 = 0;
*(uint8_t*)0x20000004 = 0;
*(uint8_t*)0x20000005 = 0;
*(uint8_t*)0x20000006 = 0;
*(uint8_t*)0x20000007 = 8;
*(uint16_t*)0x20000008 = 0x525;
*(uint16_t*)0x2000000a = 0xa4a8;
*(uint16_t*)0x2000000c = 0x40;
*(uint8_t*)0x2000000e = 0;
*(uint8_t*)0x2000000f = 0;
*(uint8_t*)0x20000010 = 0;
*(uint8_t*)0x20000011 = 1;
*(uint8_t*)0x20000012 = 9;
*(uint8_t*)0x20000013 = 2;
*(uint16_t*)0x20000014 = 0x3c1;
*(uint8_t*)0x20000016 = 1;
*(uint8_t*)0x20000017 = 1;
*(uint8_t*)0x20000018 = 0;
*(uint8_t*)0x20000019 = 0;
*(uint8_t*)0x2000001a = 0;
*(uint8_t*)0x2000001b = 9;
*(uint8_t*)0x2000001c = 4;
*(uint8_t*)0x2000001d = 0;
*(uint8_t*)0x2000001e = 0;
*(uint8_t*)0x2000001f = 0x12;
*(uint8_t*)0x20000020 = 7;
*(uint8_t*)0x20000021 = 1;
*(uint8_t*)0x20000022 = 3;
*(uint8_t*)0x20000023 = 0;
*(uint8_t*)0x20000024 = 9;
*(uint8_t*)0x20000025 = 5;
*(uint8_t*)0x20000026 = 1;
*(uint8_t*)0x20000027 = 2;
*(uint16_t*)0x20000028 = 0;
*(uint8_t*)0x2000002a = 0;
*(uint8_t*)0x2000002b = 0;
*(uint8_t*)0x2000002c = 0;
*(uint8_t*)0x2000002d = 9;
*(uint8_t*)0x2000002e = 5;
*(uint8_t*)0x2000002f = 0x82;
*(uint8_t*)0x20000030 = 2;
*(uint16_t*)0x20000031 = 0x355;
*(uint8_t*)0x20000033 = 0;
*(uint8_t*)0x20000034 = 0;
*(uint8_t*)0x20000035 = 0;
res = syz_usb_connect(0, 0x36, 0x20000000, 0);
if (res != -1)
r[0] = res;
break;
case 1:
*(uint32_t*)0x20000900 = 0xac;
*(uint64_t*)0x20000904 = 0;
*(uint64_t*)0x2000090c = 0;
*(uint64_t*)0x20000914 = 0;
*(uint64_t*)0x2000091c = 0;
*(uint64_t*)0x20000924 = 0;
*(uint64_t*)0x2000092c = 0;
*(uint64_t*)0x20000934 = 0;
*(uint64_t*)0x2000093c = 0;
*(uint64_t*)0x20000944 = 0;
*(uint64_t*)0x2000094c = 0;
*(uint64_t*)0x20000954 = 0;
*(uint64_t*)0x2000095c = 0;
*(uint64_t*)0x20000964 = 0;
*(uint64_t*)0x2000096c = 0;
*(uint64_t*)0x20000974 = 0;
*(uint64_t*)0x2000097c = 0;
*(uint64_t*)0x20000984 = 0;
*(uint64_t*)0x2000098c = 0;
*(uint64_t*)0x20000994 = 0;
*(uint64_t*)0x2000099c = 0;
*(uint64_t*)0x200009a4 = 0;
syz_usb_control_io(r[0], 0, 0x20000900);
break;
case 2:
*(uint64_t*)0x20000240 = 0;
res = syz_usb_connect(2, 1, 0x20000240, 0);
if (res != -1)
r[1] = res;
break;
case 3:
syz_usb_disconnect(r[1]);
break;
case 4:
syz_open_dev(0xc, 0xb4, 0);
break;
case 5:
syscall(__NR_write, -1, 0, 0);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
setup_binfmt_misc();
for (procid = 0; procid < 6; procid++) {
if (fork() == 0) {
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}