API tools faq
paste
Advertisement
qaqaq

Untitled

qaqaq
Aug 10th, 2022
164
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.11 KB | None | 0 0
raw download clone embed print report
  1. // autogenerated by syzkaller (https://github.com/google/syzkaller)
  2.  
  3. #define _GNU_SOURCE
  4.  
  5. #include <linux/usb/ch9.h>
  6. #include <string.h>
  7. #include <time.h>
  8. #include <usbg/function/hid.h>
  9. #include <usbg/function/loopback.h>
  10. #include <usbg/function/midi.h>
  11. #include <usbg/function/ms.h>
  12. #include <usbg/function/net.h>
  13. #include <usbg/function/printer.h>
  14. #include <usbg/usbg.h>
  15.  
  16. #define MAX_FUNC_NUM 2
  17. #define MAX_DEVICE_NUM 8
  18.  
  19. union usbg_function_attr {
  20. int default_attr;
  21. struct usbg_f_midi_attrs midi_attr;
  22. struct usbg_f_ms_attrs ms_attr;
  23. struct usbg_f_net_attrs net_attr;
  24. struct usbg_f_printer_attrs printer_attr;
  25. struct usbg_f_loopback_attrs loopback_attr;
  26. };
  27.  
  28. struct usbg_func_config {
  29. usbg_function_type f_type;
  30. union usbg_function_attr f_attrs;
  31. };
  32.  
  33. struct usb_gadget_device {
  34. struct usbg_gadget_attrs* g_attrs;
  35. struct usbg_config_attrs* c_attrs;
  36. int func_num;
  37. struct usbg_func_config func_conf[MAX_FUNC_NUM];
  38. };
  39.  
  40. struct usb_gadget_device usb_device[MAX_DEVICE_NUM];
  41.  
  42. struct usbg_gadget_strs g_strs = {
  43. .manufacturer = (char*)"Foo Inc.",
  44. .product = (char*)"Bar Gadget",
  45. .serial = (char*)"12345678"};
  46.  
  47. struct usbg_config_strs c_strs = {
  48. .configuration = (char*)"1xconf"};
  49.  
  50. static volatile long syz_attach_gadget_impl(struct usb_gadget_device* dev, int uid)
  51. {
  52. usbg_state* s;
  53. usbg_gadget* g;
  54. usbg_config* c;
  55. usbg_function* f[MAX_FUNC_NUM];
  56. usbg_udc* u;
  57.  
  58. int ret = -1;
  59. int usbg_ret;
  60.  
  61. char g_name[10];
  62. sprintf(g_name, "g%d", uid);
  63.  
  64. usbg_ret = usbg_init("/sys/kernel/config", &s);
  65. if (usbg_ret != USBG_SUCCESS) {
  66. fprintf(stderr, "Error on usbg init\n");
  67. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  68. usbg_strerror((usbg_error)usbg_ret));
  69. goto out1;
  70. }
  71.  
  72. usbg_ret = usbg_create_gadget(s, g_name, dev->g_attrs, &g_strs, &g);
  73. if (usbg_ret != USBG_SUCCESS) {
  74. fprintf(stderr, "Error on creating gadget\n");
  75. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  76. usbg_strerror((usbg_error)usbg_ret));
  77. goto out2;
  78. }
  79.  
  80. for (int i = 0; i < dev->func_num; i++) {
  81. char f_name[10];
  82. sprintf(f_name, "func%d", i);
  83.  
  84. if (dev->func_conf[i].f_attrs.default_attr == 0xffff)
  85. usbg_ret = usbg_create_function(g, dev->func_conf[i].f_type, (char*)f_name, NULL, &f[i]);
  86. else
  87. usbg_ret = usbg_create_function(g, dev->func_conf[i].f_type, (char*)f_name, &(dev->func_conf[i].f_attrs), &f[i]);
  88. if (usbg_ret != USBG_SUCCESS) {
  89. fprintf(stderr, "Error on creating gadget func\n");
  90. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  91. usbg_strerror((usbg_error)usbg_ret));
  92. goto out2;
  93. }
  94. }
  95.  
  96. usbg_ret = usbg_create_config(g, 1, "The only one config", dev->c_attrs, &c_strs, &c);
  97. if (usbg_ret != USBG_SUCCESS) {
  98. fprintf(stderr, "Error on creating gadget config\n");
  99. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  100. usbg_strerror((usbg_error)usbg_ret));
  101. goto out2;
  102. }
  103.  
  104. for (int i = 0; i < dev->func_num; i++) {
  105. char f_name[10];
  106. sprintf(f_name, "f_name.%d", i);
  107. usbg_ret = usbg_add_config_function(c, (char*)f_name, f[i]);
  108.  
  109. if (usbg_ret != USBG_SUCCESS) {
  110. fprintf(stderr, "Error on adding func to config\n");
  111. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  112. usbg_strerror((usbg_error)usbg_ret));
  113. goto out2;
  114. }
  115. }
  116.  
  117. u = usbg_get_first_udc(s);
  118. if (uid > 0) {
  119. for (int i = 0; i < uid; i++) {
  120. u = usbg_get_next_udc(u);
  121. }
  122. }
  123. usbg_ret = usbg_enable_gadget(g, u);
  124. if (usbg_ret != USBG_SUCCESS) {
  125. fprintf(stderr, "Error on enabling udc\n");
  126. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  127. usbg_strerror((usbg_error)usbg_ret));
  128. goto out2;
  129. }
  130.  
  131. ret = 0;
  132.  
  133. out2:
  134. usbg_cleanup(s);
  135.  
  136. out1:
  137. return ret;
  138. }
  139.  
  140. static int remove_gadget(usbg_gadget* g)
  141. {
  142. int usbg_ret;
  143. usbg_udc* u;
  144.  
  145. u = usbg_get_gadget_udc(g);
  146.  
  147. if (u) {
  148. usbg_ret = usbg_disable_gadget(g);
  149. if (usbg_ret != USBG_SUCCESS) {
  150. fprintf(stderr, "Error on disable gadget udc\n");
  151. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  152. usbg_strerror((usbg_error)usbg_ret));
  153. goto out;
  154. }
  155. }
  156.  
  157. usbg_ret = usbg_rm_gadget(g, USBG_RM_RECURSE);
  158. if (usbg_ret != USBG_SUCCESS) {
  159. fprintf(stderr, "Error on gadget remove\n");
  160. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  161. usbg_strerror((usbg_error)usbg_ret));
  162. }
  163.  
  164. out:
  165. return usbg_ret;
  166. }
  167.  
  168. static volatile long syz_detach_gadget_impl(int uid)
  169. {
  170. int usbg_ret;
  171. int ret = -1;
  172. usbg_state* s;
  173. usbg_gadget* g;
  174. const char* g_name;
  175. char g_name_target[10];
  176. sprintf(g_name_target, "g%d", uid);
  177.  
  178. usbg_ret = usbg_init("/sys/kernel/config", &s);
  179. if (usbg_ret != USBG_SUCCESS) {
  180. fprintf(stderr, "Error on USB state init\n");
  181. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  182. usbg_strerror((usbg_error)usbg_ret));
  183. goto out1;
  184. }
  185.  
  186. g = usbg_get_first_gadget(s);
  187. while (g != NULL) {
  188. g_name = usbg_get_gadget_name(g);
  189.  
  190. if (strcmp(g_name, g_name_target) == 0) {
  191. usbg_gadget* g_next = usbg_get_next_gadget(g);
  192.  
  193. usbg_ret = remove_gadget(g);
  194. if (usbg_ret != USBG_SUCCESS)
  195. goto out2;
  196.  
  197. g = g_next;
  198. } else {
  199. g = usbg_get_next_gadget(g);
  200. }
  201. }
  202. usleep(500000);
  203. ret = 0;
  204.  
  205. out2:
  206. usbg_cleanup(s);
  207. out1:
  208. return ret;
  209. }
  210.  
  211. static void parse_dev_descriptors(const char* buffer, struct usb_gadget_device* dev)
  212. {
  213. memset(dev, 0, sizeof(*dev));
  214.  
  215. dev->g_attrs = (struct usbg_gadget_attrs*)buffer;
  216. dev->c_attrs = (struct usbg_config_attrs*)(buffer + sizeof(struct usbg_gadget_attrs));
  217. dev->func_num = *(int*)(buffer + sizeof(struct usbg_gadget_attrs) + sizeof(struct usbg_config_attrs) + sizeof(int16_t));
  218. int start_attr = sizeof(struct usbg_gadget_attrs) + sizeof(struct usbg_config_attrs) + sizeof(int16_t) + 2 * sizeof(int32_t);
  219. int conf_size = 40;
  220. printf("conf_size: %x\n", conf_size);
  221. for (int i = 0; i < dev->func_num; i++) {
  222. dev->func_conf[i] = *(struct usbg_func_config*)(buffer + start_attr + i * conf_size);
  223. }
  224. }
  225.  
  226. static volatile long syz_attach_gadget(volatile long a0, volatile long a1)
  227. {
  228. const char* dev = (const char*)a0;
  229. uint64_t uid = a1;
  230. parse_dev_descriptors(dev, &usb_device[uid]);
  231. return syz_attach_gadget_impl(&usb_device[uid], uid);
  232. }
  233.  
  234. static volatile long syz_detach_gadget(volatile long a0)
  235. {
  236. int uid = a0;
  237. return syz_detach_gadget_impl(uid);
  238. }
  239. #include <endian.h>
  240. #include <stdint.h>
  241. #include <stdio.h>
  242. #include <stdlib.h>
  243. #include <string.h>
  244. #include <sys/syscall.h>
  245. #include <sys/types.h>
  246. #include <unistd.h>
  247.  
  248. int main(void)
  249. {
  250. syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  251. syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  252. syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  253.  
  254. syz_detach_gadget(6);
  255. *(uint16_t*)0x20000000 = 0x200;
  256. *(uint8_t*)0x20000002 = 0;
  257. *(uint8_t*)0x20000003 = 0;
  258. *(uint8_t*)0x20000004 = 0;
  259. *(uint8_t*)0x20000005 = 0x58;
  260. *(uint16_t*)0x20000006 = 0x13d3;
  261. *(uint16_t*)0x20000008 = 0x3340;
  262. *(uint16_t*)0x2000000a = 0;
  263. *(uint8_t*)0x2000000c = 0x80;
  264. *(uint8_t*)0x2000000d = 0x4a;
  265. *(uint32_t*)0x20000010 = 2;
  266. *(uint8_t*)0x20000018 = 0xa;
  267. *(uint32_t*)0x20000020 = 0xffff;
  268. *(uint8_t*)0x20000040 = 0xb;
  269. *(uint32_t*)0x20000048 = 0xffff;
  270. syz_attach_gadget(0x20000000, 6);
  271. return 0;
  272. }
  273.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!