sys/linux: add UAC2, UAC3, and MIDI USB audio class descriptions

berkgoksel · berkgoksel · commit 364746b2a490 · 2026-01-20T22:04:17.000+03:00
This patch extends the USB audio fuzzing support by adding syzlang
descriptions for:

- UAC2 (USB Audio Class 2.0) devices with clock management units,
  interface association descriptors, and extended format types.
- UAC3 (USB Audio Class 3.0) devices including power domain
  descriptors and cluster information segments.
- USB MIDI devices with jack descriptors and streaming endpoints.

A new generateAudioDeviceDescriptor function patches in both
auto-extracted USB IDs from the kernel driver matching rules and
hardcoded quirk IDs from the USB audio driver sources (sound/usb/).
This approach follows the pattern established for the HID and printer
classes, allowing exercising driver quirks that cannot be automatically
extracted.

The config descriptor template now includes an EXTRA field to support
Interface Association Descriptors required by UAC2/UAC3. This also
requires adjusting the interface field index in patchUsbDeviceID.
diff --git a/AUTHORS b/AUTHORS
@@ -55,3 +55,4 @@ Elektrobit Automotive GmbH
 Rivos Inc.
 Jeongjun Park
 International Business Machines Corporation
+Berk Cem Goksel
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -147,3 +147,4 @@ International Business Machines Corporation
  Andrew Donnellan
  Alexander Egorenkov
  Alexey Kardashevskiy
+Berk Cem Goksel
diff --git a/sys/linux/init.go b/sys/linux/init.go
@@ -64,6 +64,10 @@ func InitTarget(target *prog.Target) {
 		"usb_device_descriptor":         arch.generateUsbDeviceDescriptor,
 		"usb_device_descriptor_printer": arch.generateUsbPrinterDeviceDescriptor,
 		"usb_device_descriptor_hid":     arch.generateUsbHidDeviceDescriptor,
+		"usb_device_descriptor_uac1":    arch.generateAudioDeviceDescriptor,
+		"usb_device_descriptor_uac2":    arch.generateAudioDeviceDescriptor,
+		"usb_device_descriptor_uac3":    arch.generateAudioDeviceDescriptor,
+		"usb_device_descriptor_midi":    arch.generateAudioDeviceDescriptor,
 	}
 
 	target.AuxResources = map[string]bool{
diff --git a/sys/linux/init_vusb.go b/sys/linux/init_vusb.go
@@ -112,6 +112,154 @@ func (arch *arch) generateUsbPrinterDeviceDescriptor(g *prog.Gen, typ0 prog.Type
 	return
 }
 
+func (arch *arch) generateAudioDeviceDescriptor(g *prog.Gen, typ0 prog.Type, dir prog.Dir, old prog.Arg) (
+	arg prog.Arg, calls []*prog.Call) {
+	if old == nil {
+		arg = g.GenerateSpecialArg(typ0, dir, &calls)
+	} else {
+		arg = prog.CloneArg(old)
+		calls = g.MutateArg(arg)
+	}
+	if g.Target().ArgContainsAny(arg) {
+		return
+	}
+	// Roll the dice to decide if and how we want to patch audio device IDs.
+	switch {
+	case g.Rand().Intn(3) == 0:
+		// Syzlang descriptions already contain passable IDs, leave them as is.
+		return
+	case g.Rand().Intn(2) == 0:
+		// Patch in quirk IDs that are hardcoded in the USB audio class drivers
+		// (and thus are not auto-extractable) to allow exercising driver quirks.
+		var idVendor uint16
+		var idProduct uint16
+		quirksIDs := [][2]uint16{
+			// sound/usb/quirks.c
+			{0x041e, 0x3000},
+			{0x041e, 0x3020},
+			{0x10f5, 0x0200},
+			{0x0d8c, 0x0102},
+			{0x0ccd, 0x00b1},
+			{0x1235, 0x0010},
+			{0x1235, 0x0018},
+			{0x0763, 0x2012},
+			{0x047f, 0xc010},
+			{0x2466, 0x8010},
+			// sound/usb/stream.c ?
+			{0x04fa, 0x4201},
+			// sound/usb/midi.c
+			{0x0a67, 0x5011},
+			{0x0a92, 0x1020},
+			{0x1430, 0x474b},
+			{0x15ca, 0x0101},
+			{0x15ca, 0x1806},
+			{0x1a86, 0x752d},
+			{0xfc08, 0x0101},
+			{0x0644, 0x800e},
+			{0x0644, 0x800f},
+			{0x0763, 0x0150},
+			// Test if this covers midi.c | grep USB_VID_VENDOR
+			{0x0582, 0x0582},
+			//sound/usb/card.c
+			{0x18d1, 0x2d04},
+			{0x18d1, 0x2d05},
+			//sound/usb/format.c
+			{0x0582, 0x0016},
+			{0x0582, 0x000c},
+			{0x0d8c, 0x0201},
+			{0x0d8c, 0x0102},
+			{0x0d8c, 0x0078},
+			{0x0ccd, 0x00b1},
+			{0x041e, 0x4064},
+			{0x041e, 0x4068},
+			{0x194f, 0x010c},
+			{0x0e41, 0x4241},
+			{0x0e41, 0x4241},
+			{0x0e41, 0x4242},
+			{0x0e41, 0x4244},
+			{0x0e41, 0x4246},
+			{0x0e41, 0x4247},
+			{0x0e41, 0x4248},
+			{0x0e41, 0x4249},
+			{0x0e41, 0x424a},
+			{0x19f7, 0x0011},
+			{0x0e41, 0x3000},
+			{0x0e41, 0x3020},
+			{0x0e41, 0x3061},
+			{0x0a67, 0x5011},
+			//sound/usb/mixer_quirks.c
+			{0x041e, 0x3000},
+			{0x041e, 0x3020},
+			{0x041e, 0x3040},
+			{0x041e, 0x3042},
+			{0x041e, 0x3048},
+			{0x041e, 0x30df},
+			{0x041e, 0x3237},
+			{0x041e, 0x323b},
+			{0x041e, 0x3263},
+			{0x0644, 0x8047},
+			{0x0b05, 0x1739},
+			{0x0b05, 0x1743},
+			{0x0b05, 0x17a0},
+			{0x0bda, 0x4014},
+			{0x0d8c, 0x000c},
+			{0x0d8c, 0x0014},
+			{0x0d8c, 0x0103},
+			{0x1235, 0x8002},
+			{0x1235, 0x8004},
+			{0x1235, 0x800c},
+			{0x1235, 0x8012},
+			{0x1235, 0x8014},
+			{0x1235, 0x8201},
+			{0x1235, 0x8203},
+			{0x1235, 0x8204},
+			{0x1235, 0x8210},
+			{0x1235, 0x8211},
+			{0x1235, 0x8212},
+			{0x1235, 0x8213},
+			{0x1235, 0x8214},
+			{0x1235, 0x8215},
+			{0x17cc, 0x1011},
+			{0x17cc, 0x1021},
+			{0x194f, 0x010c},
+			{0x200c, 0x1018},
+			{0x21b4, 0x0081},
+			{0x2a39, 0x3fb0},
+			{0x2a39, 0x3fd2},
+			{0x2a39, 0x3fd3},
+			{0x2a39, 0x3fd4},
+			// yamaha
+			{0x0499, 0x0499},
+			{0x0582, 0x0582},
+		}
+		idx := g.Rand().Intn(len(quirksIDs))
+		idVendor = quirksIDs[idx][0]
+		idProduct = quirksIDs[idx][1]
+		devArg := arg.(*prog.GroupArg).Inner[0]
+		patchGroupArg(devArg, 7, "idVendor", uint64(idVendor))
+		patchGroupArg(devArg, 8, "idProduct", uint64(idProduct))
+	default:
+		// Patch in IDs auto-extracted from the matching rules for the USB audio class.
+		// Do not patch IDs that are not used in the matching rules to avoid subverting
+		// the kernel into matching the device to a different driver.
+		// TODO: some of these strings might be missing is dict, check
+		ids := usbIds["snd-bcd2000"] +
+			usbIds["snd-ua101"] +
+			usbIds["snd-usb-6fire"] +
+			usbIds["snd-usb-audio"] +
+			usbIds["snd-usb-caiaq"] +
+			usbIds["snd-usb-hiface"] +
+			usbIds["snd-usb-us122l"] +
+			usbIds["snd-usb-usx2y"] +
+			usbIds["snd_usb_pod"] +
+			usbIds["snd_usb_podhd"] +
+			usbIds["snd_usb_toneport"] +
+			usbIds["snd_usb_variax"]
+		patchUsbDeviceID(g, &arg, calls, ids, false)
+	}
+	return
+}
+
 func patchUsbDeviceID(g *prog.Gen, arg *prog.Arg, calls []*prog.Call, ids string, patchNonMatching bool) {
 	id := randUsbDeviceID(g, ids, patchNonMatching)
 
@@ -138,7 +286,7 @@ func patchUsbDeviceID(g *prog.Gen, arg *prog.Arg, calls []*prog.Call, ids string
 	}
 
 	configArg := devArg.(*prog.GroupArg).Inner[14].(*prog.GroupArg).Inner[0].(*prog.GroupArg).Inner[0]
-	interfacesArg := configArg.(*prog.GroupArg).Inner[8]
+	interfacesArg := configArg.(*prog.GroupArg).Inner[9]
 
 	for i, interfaceArg := range interfacesArg.(*prog.GroupArg).Inner {
 		interfaceArg = interfaceArg.(*prog.GroupArg).Inner[0]
diff --git a/sys/linux/test/vusb_midi b/sys/linux/test/vusb_midi
@@ -0,0 +1,4 @@
+# requires: -repeat
+
+r0 = syz_usb_connect$midi(0x0, 0x0, &AUTO, &AUTO)
+syz_usb_control_io$midi(r0, 0x0, 0x0)
diff --git a/sys/linux/test/vusb_uac2 b/sys/linux/test/vusb_uac2
@@ -0,0 +1,4 @@
+# requires: -repeat
+
+r0 = syz_usb_connect$uac2(0x0, 0x0, &AUTO, &AUTO)
+syz_usb_control_io$uac2(r0, 0x0, 0x0)
diff --git a/sys/linux/test/vusb_uac3 b/sys/linux/test/vusb_uac3
@@ -0,0 +1,4 @@
+# requires: -repeat
+
+r0 = syz_usb_connect$uac3(0x0, 0x0, &AUTO, &AUTO)
+syz_usb_control_io$uac3(r0, 0x0, 0x0)
diff --git a/sys/linux/vusb.txt b/sys/linux/vusb.txt
diff --git a/sys/linux/vusb.txt.const b/sys/linux/vusb.txt.const
