This page describes the current state of external USB fuzzing support in syzkaller. Note, that it's still in development and things might change.
This allowed to find over 80 bugs in the Linux kernel USB stack so far.
How to set this up:
Checkout the usb-fuzzer
branch from https://github.com/google/kasan
Configure and build the kernel. You need to enable CONFIG_USB_FUZZER=y
, CONFIG_USB_DUMMY_HCD=y
and all the USB drivers you're interested in fuzzing:
menu config -> Device Drivers -> USB Support -> -> USB Gadget Support (enable) -> -> USB Peripheral Controller -> Dummy HCD (enable) -> USB Gadget Fuzzer (enable)
Update syzkaller descriptions by extracting USB device info using the instructions below.
Enable syz_usb_connect
, syz_usb_disconnect
, syz_usb_control_io
and syz_usb_ep_write
syscalls in the manager config.
Set sandbox
to none
in the manager config.
Pass dummy_hcd.num=8
to the kernel command line in the maganer config.
Run.
Syzkaller descriptions for USB fuzzing can be found here: 1, 2 and 3.
Apply this kernel patch.
Build and boot the kernel.
Connect some USB device to it (e.g. with syz-exeprog usb.log
, where usb.log
is some program that utilizes the syz_usb_connect
syzcall).
Use syz-usbgen script to update syzkaller descriptions.