Andrey Konovalov
Andrey Konovalov
I think you can do this via `usb_ep_fifo_status`, but it's not exposed in Raw Gadget (#12). Also the Dummy UDC does not appear to implement the `fifo_status` handler, so `usb_ep_fifo_status`...
> This PR breaks usb fuzzing, since, apparently, the kernel always routes the usb coverage via a kcov remote handle that equals the usb device's bus number (?): `For example,...
This change appears to fix the issue: ``` python diff --git a/facedancer/proxy.py b/facedancer/proxy.py index 6f053d9..26bca33 100644 --- a/facedancer/proxy.py +++ b/facedancer/proxy.py @@ -354,7 +354,10 @@ class LibUSB1Device: for interface in active_configuration:...
Please try this patch: ``` c diff --git a/proxy.cpp b/proxy.cpp index beefeb2..b28b726 100644 --- a/proxy.cpp +++ b/proxy.cpp @@ -249,6 +249,11 @@ void *ep_loop_read(void *arg) { ep.bEndpointAddress, transfer_type.c_str(), dir.c_str()); break; }...
What we can do is to extend the manager config to allow selectively disabling features. There's already the experimental `remote_cover` option that disables `flatrpc.FeatureExtraCoverage`. And both `syz-manager` and `syz-repro` take...
**Issue 4**. When `syz-repro` gets to generating a C repro, it also does not account for disabled features. `createStartOptions()` should supposedly take care of that, but somehow this does not...
request.ack() is used for OUT requests but calls device.control_send() which is only for IN requests
Looked into this a bit. So `backend.ack_status_stage()` is only called by the proxy code and only to handle the STATUS stage of the OUT control requests. The rest of the...
It would be great to split these changes into separate commits with separate descriptions of what each change does. But I'll leave reviewing this to the Facedancer developers.
Awesome, thank you for working on this! I think we need to figure out what to do with those out-of-tree Raw Gadget changed first indeed. In Raw Gadget, the syscalls...
I think we'll need a separate daemon thread for `USB_RAW_IOCTL_EVENT_FETCH`/`service_irqs` and then separate threads for the non-control endpoints, possibly only for the IN ones — these are the ones that...