This page describes the current state of external USB fuzzing support in syzkaller. Note, that it's still in development and things might change.
This allowed to find over 80 bugs in the Linux kernel USB stack so far.
How to set this up:
Checkout the usb-fuzzer branch from https://github.com/google/kasan
Configure and build the kernel. You need to enable CONFIG_USB_FUZZER=y, CONFIG_USB_DUMMY_HCD=y and all the USB drivers you're interested in fuzzing:
menu config -> Device Drivers -> USB Support ->
-> USB Gadget Support (enable) ->
-> USB Peripheral Controller -> Dummy HCD (enable)
-> USB Gadget Fuzzer (enable)
Update syzkaller descriptions by extracting USB device info using the instructions below.
Enable syz_usb_connect, syz_usb_disconnect, syz_usb_control_io and syz_usb_ep_write syscalls in the manager config.
Set sandbox to none in the manager config.
Pass dummy_hcd.num=8 to the kernel command line in the maganer config.
Run.
Syzkaller descriptions for USB fuzzing can be found here: 1, 2 and 3.
Apply this kernel patch.
Build and boot the kernel.
Connect some USB device to it (e.g. with syz-exeprog usb.log, where usb.log is some program that utilizes the syz_usb_connect syzcall).
Use syz-usbgen script to update syzkaller descriptions.