sys/linux: patch in hardcoded USB IDs for USB printer driver

xairy · a-nogikh · commit fd2d17b5741b · 2025-08-21T12:29:58.000Z
Some USB drivers contain quirks (special handling code) for USB devices
with specific USB IDs. Sometimes the IDs for these quirks are encoded in
the driver matching rules (and thus are auto-extracted into
sys/linux/init_vusb_ids.go), but sometimes these IDs are hardcoded in
the driver itself.

This patch extends the generateUsbPrinterDeviceDescriptor function to
also sometimes generate USB IDs to exercise the hardcoded quirks for the
USB printer class.

Similar functionality can be implemented for other USB drivers later.
diff --git a/sys/linux/init_vusb.go b/sys/linux/init_vusb.go
@@ -79,16 +79,34 @@ func (arch *arch) generateUsbPrinterDeviceDescriptor(g *prog.Gen, typ0 prog.Type
 		return
 	}
 
-	// syzlang descriptions already contain passable IDs.
-	// Roll the dice to decide if we want to patch them.
-	if g.Rand().Intn(2) == 0 {
+	// Roll the dice to decide if and how we want to patch printer USB IDs.
+	switch {
+	case g.Rand().Intn(3) == 0:
+		// Syzlang descriptions already contain passable IDs, leave them as is.
 		return
-	}
-
-	// Patch in IDs specific to the USB printer class.
-	// Only patch IDs that are used in the driver matching rules.
-	if ids, ok := usbIds["usblp"]; ok {
-		patchUsbDeviceID(g, &arg, calls, ids, false)
+	case g.Rand().Intn(2) == 0:
+		// Patch in quirk IDs that are hardcoded in the USB printer class driver
+		// (and thus are not auto-extractable) to allow exercising driver quirks;
+		// see quirk_printers in drivers/usb/class/usblp.c.
+		var idVendor int16
+		var idProduct int16
+		if g.Rand().Intn(2) == 0 { // USBLP_QUIRK_BIDIR
+			idVendor = 0x03f0
+			idProduct = 0x0004
+		} else { // USBLP_QUIRK_BAD_CLASS
+			idVendor = 0x04b8
+			idProduct = 0x0202
+		}
+		devArg := arg.(*prog.GroupArg).Inner[0]
+		patchGroupArg(devArg, 7, "idVendor", uint64(idVendor))
+		patchGroupArg(devArg, 8, "idProduct", uint64(idProduct))
+	default:
+		// Patch in IDs auto-extracted from the matching rules for the USB printer class.
+		// Do not patch IDs that are not used in the matching rules to avoid subverting
+		// the kernel into matching the device to a different driver.
+		if ids, ok := usbIds["usblp"]; ok {
+			patchUsbDeviceID(g, &arg, calls, ids, false)
+		}
 	}
 
 	return
