commit 2bccff343e93e2a592d6165a4ff0d831e700b3b1 Author: Kees Cook Date: Fri May 11 12:29:21 2012 -0700 Xorg-crashing Keyboard demo This builds a Minimus with a malicious keyboard name. Signed-off-by: Kees Cook diff --git a/trunk/Demos/Device/ClassDriver/Keyboard/Descriptors.c b/trunk/Demos/Device/ClassDriver/Keyboard/Descriptors.c index 84ec47a..19f99bc 100644 --- a/trunk/Demos/Device/ClassDriver/Keyboard/Descriptors.c +++ b/trunk/Demos/Device/ClassDriver/Keyboard/Descriptors.c @@ -67,8 +67,8 @@ const USB_Descriptor_Device_t PROGMEM DeviceDescriptor = .Endpoint0Size = FIXED_CONTROL_ENDPOINT_SIZE, - .VendorID = 0x03EB, - .ProductID = 0x2042, + .VendorID = 0x045e, + .ProductID = 0x000b, .ReleaseNumber = VERSION_BCD(00.01), .ManufacturerStrIndex = 0x01, @@ -155,9 +155,9 @@ const USB_Descriptor_String_t PROGMEM LanguageString = */ const USB_Descriptor_String_t PROGMEM ManufacturerString = { - .Header = {.Size = USB_STRING_LEN(11), .Type = DTYPE_String}, + .Header = {.Size = USB_STRING_LEN(16), .Type = DTYPE_String}, - .UnicodeString = L"Dean Camera" + .UnicodeString = L"Microsoft Neural" }; /** Product descriptor string. This is a Unicode string containing the product's details in human readable form, @@ -166,9 +166,9 @@ const USB_Descriptor_String_t PROGMEM ManufacturerString = */ const USB_Descriptor_String_t PROGMEM ProductString = { - .Header = {.Size = USB_STRING_LEN(18), .Type = DTYPE_String}, + .Header = {.Size = USB_STRING_LEN(19), .Type = DTYPE_String}, - .UnicodeString = L"LUFA Keyboard Demo" + .UnicodeString = L"Keyboard (%n%n%n%n)" }; /** This function is called by the library when in device mode, and must be overridden (see library "USB Descriptors" diff --git a/trunk/Demos/Device/ClassDriver/Keyboard/Keyboard.c b/trunk/Demos/Device/ClassDriver/Keyboard/Keyboard.c index 24bf8d5..1c681c2 100644 --- a/trunk/Demos/Device/ClassDriver/Keyboard/Keyboard.c +++ b/trunk/Demos/Device/ClassDriver/Keyboard/Keyboard.c @@ -39,6 +39,9 @@ /** Buffer to hold the previously generated Keyboard HID report, for comparison purposes inside the HID class driver. */ static uint8_t PrevKeyboardHIDReportBuffer[sizeof(USB_KeyboardReport_Data_t)]; +static char KeyBuffer[32]; +static char *KeyBufferPointer = NULL; + /** LUFA HID Class driver interface configuration and state information. This structure is * passed to all HID Class driver functions, so that multiple instances of the same class * within a device can be differentiated from one another. @@ -65,13 +68,41 @@ USB_ClassInfo_HID_Device_t Keyboard_HID_Interface = */ int main(void) { + static uint8_t ButtonHistory = 0; + int i; + SetupHardware(); LEDs_SetAllLEDs(LEDMASK_USB_NOTREADY); sei(); + /* Initialization delay, with event processing. */ +/* + for (i = 0; i < 1000; ++ i) { + Delay_MS(1); + + HID_Device_USBTask(&Keyboard_HID_Interface); + USB_USBTask(); + } + + strcpy(KeyBuffer, "Oh hai thar!\n"); + KeyBufferPointer = KeyBuffer; +*/ + for (;;) { + uint8_t ButtonStatus_LCL = Buttons_GetStatus(); + + /* Button edge detection! Not sure how to tell time for real denouncing... */ + if (ButtonStatus_LCL != ButtonHistory) { + ButtonHistory = ButtonStatus_LCL; + + if (!KeyBufferPointer && (ButtonStatus_LCL & BUTTONS_BUTTON1)) { + strcpy(KeyBuffer, "Oh hai!\n"); + KeyBufferPointer = KeyBuffer; + } + } + HID_Device_USBTask(&Keyboard_HID_Interface); USB_USBTask(); } @@ -88,7 +119,6 @@ void SetupHardware() clock_prescale_set(clock_div_1); /* Hardware Initialization */ - Joystick_Init(); LEDs_Init(); Buttons_Init(); USB_Init(); @@ -130,6 +160,54 @@ void EVENT_USB_Device_StartOfFrame(void) HID_Device_MillisecondElapsed(&Keyboard_HID_Interface); } +void InjectScancode(USB_KeyboardReport_Data_t* KeyboardReport, char key) +{ + if (key >= 'a' && key <= 'z') { + KeyboardReport->KeyCode[0] = key - 'a' + HID_KEYBOARD_SC_A; + } else if (key >= 'A' && key <= 'Z') { + KeyboardReport->KeyCode[0] = key - 'A' + HID_KEYBOARD_SC_A; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key >= '1' && key <= '9') { + KeyboardReport->KeyCode[0] = key - '1' + HID_KEYBOARD_SC_1_AND_EXCLAMATION; + } else if (key == '0') { + KeyboardReport->KeyCode[0] = key - '0' + HID_KEYBOARD_SC_0_AND_CLOSING_PARENTHESIS; + } else if (key == '!') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_1_AND_EXCLAMATION; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '@') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_2_AND_AT; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '#') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_3_AND_HASHMARK; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '$') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_4_AND_DOLLAR; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '%') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_5_AND_PERCENTAGE; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '^') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_6_AND_CARET; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '&') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_7_AND_AND_AMPERSAND; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '*') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_8_AND_ASTERISK; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == '(') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_9_AND_OPENING_PARENTHESIS; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == ')') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_0_AND_CLOSING_PARENTHESIS; + KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + } else if (key == ' ') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_SPACE; + } else if (key == '\n') { + KeyboardReport->KeyCode[0] = HID_KEYBOARD_SC_ENTER; + } +} + /** HID class driver callback function for the creation of HID reports to the host. * * \param[in] HIDInterfaceInfo Pointer to the HID class interface configuration structure being referenced @@ -146,34 +224,36 @@ bool CALLBACK_HID_Device_CreateHIDReport(USB_ClassInfo_HID_Device_t* const HIDIn void* ReportData, uint16_t* const ReportSize) { + static bool IsKeyReleaseReport = true; USB_KeyboardReport_Data_t* KeyboardReport = (USB_KeyboardReport_Data_t*)ReportData; - uint8_t JoyStatus_LCL = Joystick_GetStatus(); - uint8_t ButtonStatus_LCL = Buttons_GetStatus(); - - uint8_t UsedKeyCodes = 0; - - if (JoyStatus_LCL & JOY_UP) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_A; - else if (JoyStatus_LCL & JOY_DOWN) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_B; - - if (JoyStatus_LCL & JOY_LEFT) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_C; - else if (JoyStatus_LCL & JOY_RIGHT) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_D; + *ReportSize = 0; + if (!KeyBufferPointer) + return false; - if (JoyStatus_LCL & JOY_PRESS) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_E; + /* Key reports must be interleaved with key release reports, or repeated keys will be ignored */ + IsKeyReleaseReport = !IsKeyReleaseReport; - if (ButtonStatus_LCL & BUTTONS_BUTTON1) - KeyboardReport->KeyCode[UsedKeyCodes++] = HID_KEYBOARD_SC_F; - - if (UsedKeyCodes) - KeyboardReport->Modifier = HID_KEYBOARD_MODIFIER_LEFTSHIFT; + if (IsKeyReleaseReport) + { + /* No more data to send, or key release report between key presses */ + KeyboardReport->KeyCode[0] = 0x00; + if (KeyBufferPointer) + ++ KeyBufferPointer; + } + else if (KeyBufferPointer && *KeyBufferPointer) + { + /* Inject scan code. */ + InjectScancode(KeyboardReport, *KeyBufferPointer); + } + else { + KeyBufferPointer = NULL; + IsKeyReleaseReport = true; + return false; + } *ReportSize = sizeof(USB_KeyboardReport_Data_t); - return false; + return true; } /** HID class driver callback function for the processing of HID reports from the host. @@ -202,6 +282,6 @@ void CALLBACK_HID_Device_ProcessHIDReport(USB_ClassInfo_HID_Device_t* const HIDI if (*LEDReport & HID_KEYBOARD_LED_SCROLLLOCK) LEDMask |= LEDS_LED4; - LEDs_SetAllLEDs(LEDMask); + // LEDs_SetAllLEDs(LEDMask); } diff --git a/trunk/Demos/Device/ClassDriver/Keyboard/makefile b/trunk/Demos/Device/ClassDriver/Keyboard/makefile index eeb9e4f..ef504c3 100644 --- a/trunk/Demos/Device/ClassDriver/Keyboard/makefile +++ b/trunk/Demos/Device/ClassDriver/Keyboard/makefile @@ -60,7 +60,7 @@ # MCU name -MCU = at90usb1287 +MCU = atmega32u2 # Target architecture (see library "Board Types" documentation). @@ -70,7 +70,7 @@ ARCH = AVR8 # Target board (see library "Board Types" documentation, NONE for projects not requiring # LUFA board drivers). If USER is selected, put custom board drivers in a directory called # "Board" inside the application directory. -BOARD = USBKEY +BOARD = MINIMUS # Processor frequency. @@ -84,7 +84,7 @@ BOARD = USBKEY # does not *change* the processor frequency - it should merely be updated to # reflect the processor speed set externally so that the code can use accurate # software delays. -F_CPU = 8000000 +F_CPU = 16000000 # Input clock frequency. @@ -526,7 +526,7 @@ flip: $(TARGET).hex dfu: $(TARGET).hex dfu-programmer $(MCU) erase dfu-programmer $(MCU) flash $(TARGET).hex - dfu-programmer $(MCU) reset + dfu-programmer $(MCU) start flip-ee: $(TARGET).hex $(TARGET).eep $(COPY) $(TARGET).eep $(TARGET)eep.hex diff --git a/trunk/LUFA/Drivers/Board/Buttons.h b/trunk/LUFA/Drivers/Board/Buttons.h index bf85246..c6eecfe 100644 --- a/trunk/LUFA/Drivers/Board/Buttons.h +++ b/trunk/LUFA/Drivers/Board/Buttons.h @@ -119,7 +119,7 @@ #include "AVR8/UDIP/Buttons.h" #elif (BOARD == BOARD_CULV3) #include "AVR8/CULV3/Buttons.h" - #elif (BOARD == BOARD_MINIMUS) + #elif (BOARD == BOARD_MINIMUS || BOARD == BOARD_MAXIMUS) #include "AVR8/MINIMUS/Buttons.h" #elif (BOARD == BOARD_MICROSIN162) #include "AVR8/MICROSIN162/Buttons.h" diff --git a/trunk/LUFA/Drivers/Board/Joystick.h b/trunk/LUFA/Drivers/Board/Joystick.h index 0a1f9fa..35bd04d 100644 --- a/trunk/LUFA/Drivers/Board/Joystick.h +++ b/trunk/LUFA/Drivers/Board/Joystick.h @@ -116,7 +116,7 @@ #elif (BOARD == BOARD_EVK1100) #include "UC3/EVK1100/Joystick.h" #else - #include "Board/Joystick.h" + #include "Missing/Joystick.h" #endif /* Pseudo-Functions for Doxygen: */