php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
11accb5cdff7977388fb604698fc7133f6491c0a
archived-php-src/sapi/fuzzer
History
Arnaud Le Blanc 11accb5cdf Preferably include from build dir (#13516) 
* Include from build dir first

This fixes out of tree builds by ensuring that configure artifacts are included
from the build dir.

Before, out of tree builds would preferably include files from the src dir, as
the include path was defined as follows (ignoring includes from ext/ and sapi/) :

    -I$(top_builddir)/main
    -I$(top_srcdir)
    -I$(top_builddir)/TSRM
    -I$(top_builddir)/Zend
    -I$(top_srcdir)/main
    -I$(top_srcdir)/Zend
    -I$(top_srcdir)/TSRM
    -I$(top_builddir)/

As a result, an out of tree build would include configure artifacts such as
`main/php_config.h` from the src dir.

After this change, the include path is defined as follows:

    -I$(top_builddir)/main
    -I$(top_builddir)
    -I$(top_srcdir)/main
    -I$(top_srcdir)
    -I$(top_builddir)/TSRM
    -I$(top_builddir)/Zend
    -I$(top_srcdir)/Zend
    -I$(top_srcdir)/TSRM

* Fix extension include path for out of tree builds

* Include config.h with the brackets form

`#include "config.h"` searches in the directory containing the including-file
before any other include path. This can include the wrong config.h when building
out of tree and a config.h exists in the source tree.

Using `#include <config.h>` uses exclusively the include path, and gives
priority to the build dir.
2024-06-26 00:26:43 +02:00
..
corpus
Fix spelling and grammar mistakes
2021-04-13 12:09:37 +02:00
dict
add missing keywords to parser fuzzer dict from PHP 7.4 to 8.3 (#13160)
2024-01-17 01:51:42 +01:00
config.m4
Fix fuzzer result message in configure log (#14278)
2024-05-20 20:46:09 +02:00
fuzzer-execute-common.h
fuzzer support for FreeBSD, getting opcache location
2022-01-18 15:04:42 +01:00
fuzzer-execute.c
Make sure dummy file for fuzzing exists
2021-09-22 10:58:25 +02:00
fuzzer-exif.c
Preferably include from build dir (#13516)
2024-06-26 00:26:43 +02:00
fuzzer-function-jit.c
Fix php.ini (add missing "\n")
2023-11-20 11:59:47 +03:00
fuzzer-json.c
Preferably include from build dir (#13516)
2024-06-26 00:26:43 +02:00
fuzzer-mbregex.c
Preferably include from build dir (#13516)
2024-06-26 00:26:43 +02:00
fuzzer-mbstring.c
Fix spurious failures of php-fuzz-mbstring
2023-11-28 21:04:17 +02:00
fuzzer-parser.c
Reduce max input size in parser fuzzer
2021-10-06 19:14:20 +02:00
fuzzer-sapi.c
Mark multple functions as static (#13864)
2024-05-22 13:11:46 +02:00
fuzzer-sapi.h
Add fuzzer for function JIT
2021-09-15 17:12:39 +02:00
fuzzer-tracing-jit.c
Improve JIT config in fuzzer SAPI (#12519)
2023-11-14 21:26:24 +03:00
fuzzer-unserialize.c
Preferably include from build dir (#13516)
2024-06-26 00:26:43 +02:00
fuzzer-unserializehash.c
Preferably include from build dir (#13516)
2024-06-26 00:26:43 +02:00
fuzzer.h
Update http->https in license (#6945)
2021-05-06 12:16:35 +02:00
generate_all.php
Add fuzzer for mb_convert_encoding
2022-05-08 22:34:23 +02:00
generate_corpus_util.php
Generate function-jit corpus in generate_all.php
2021-09-22 11:06:22 +02:00
generate_execute_corpus.php
Generate function-jit corpus in generate_all.php
2021-09-22 11:06:22 +02:00
generate_mbstring_dict.php
Add generate_mbstring_dict.php
2022-05-09 09:13:21 +02:00
generate_parser_corpus.php
Reduce max input size in parser fuzzer
2021-10-06 19:14:20 +02:00
generate_unserialize_dict.php
Fix unserialize dictionary generation
2022-07-30 17:14:22 +02:00
generate_unserializehash_corpus.php
Fuzzer: Gracefully handle hashes that cannot be serialized
2021-01-11 15:45:43 +01:00
json.dict
Makefile.frag
Merge branch 'PHP-8.2' into PHP-8.3
2024-01-10 09:13:39 +01:00
README.md
Fix GH-13978: Fuzzer readme still mentions obsolete --enable-json flag (#13983)
2024-04-16 22:16:51 +02:00

README.md

Fuzzing SAPI for PHP

The following ./configure options can be used to enable the fuzzing SAPI, as well as all available fuzzers. If you don't build the exif/json/mbstring extensions, fuzzers for these extensions will not be built.

CC=clang CXX=clang++ \
./configure \
    --disable-all \
    --enable-fuzzer \
    --with-pic \
    --enable-debug-assertions \
    --enable-address-sanitizer \
    --enable-exif \
    --enable-mbstring

The --with-pic option is required to avoid a linking failure. The --enable-debug-assertions option can be used to enable debug assertions despite the use of a release build.

You can combine fuzzing with --enable-address-sanitizer, --enable-undefined-sanitizer or --enable-memory-sanitizer. The first two options can also be used together.

You will need a recent version of clang that supports the -fsanitize=fuzzer-no-link option.

When running make it creates these binaries in sapi/fuzzer/:

  • php-fuzz-parser: Fuzzing language parser and compiler
  • php-fuzz-unserialize: Fuzzing unserialize() function
  • php-fuzz-unserializehash: Fuzzing unserialize() for HashContext objects
  • php-fuzz-json: Fuzzing JSON parser
  • php-fuzz-exif: Fuzzing exif_read_data() function (requires --enable-exif)
  • php-fuzz-mbstring: Fuzzing mb_convert_encoding() (requires --enable-mbstring)
  • php-fuzz-mbregex: Fuzzing mb_ereg[i]() (requires --enable-mbstring)
  • php-fuzz-execute: Fuzzing the executor
  • php-fuzz-function-jit: Fuzzing the function JIT (requires --enable-opcache)
  • php-fuzz-tracing-jit: Fuzzing the tracing JIT (requires --enable-opcache)

Some fuzzers have a seed corpus in sapi/fuzzer/corpus. You can use it as follows:

cp -r sapi/fuzzer/corpus/exif ./my-exif-corpus
sapi/fuzzer/php-fuzz-exif ./my-exif-corpus

For the unserialize fuzzer, a dictionary of internal classes should be generated first:

sapi/cli/php sapi/fuzzer/generate_unserialize_dict.php
cp -r sapi/fuzzer/corpus/unserialize ./my-unserialize-corpus
sapi/fuzzer/php-fuzz-unserialize -dict=$PWD/sapi/fuzzer/dict/unserialize ./my-unserialize-corpus

For the unserializehash fuzzer, generate a corpus of initial hash serializations:

sapi/cli/php sapi/fuzzer/generate_unserializehash_corpus.php
cp -r sapi/fuzzer/corpus/unserializehash ./my-unserialize-corpus
sapi/fuzzer/php-fuzz-unserializehash ./my-unserialize-corpus

For the parser fuzzer, a corpus may be generated from Zend test files:

sapi/cli/php sapi/fuzzer/generate_parser_corpus.php
mkdir ./my-parser-corpus
sapi/fuzzer/php-fuzz-parser -merge=1 ./my-parser-corpus sapi/fuzzer/corpus/parser
sapi/fuzzer/php-fuzz-parser -only_ascii=1 ./my-parser-corpus

For the execute, function-jit and tracing-jit fuzzers, a corpus may be generated from any set of test files:

sapi/cli/php sapi/fuzzer/generate_execute_corpus.php ./execute-corpus Zend/tests ext/opcache/tests/jit
sapi/fuzzer/php-fuzzer-function-jit ./execute-corpus

For the mbstring fuzzer, a dictionary of encodings should be generated first:

sapi/cli/php sapi/fuzzer/generate_mbstring_dict.php
sapi/fuzzer/php-fuzz-mbstring -dict=$PWD/sapi/fuzzer/dict/mbstring ./my-mbstring-corpus

For the mbregex fuzzer, you may want to build the libonig dependency with instrumentation. At this time, libonig is not clean under ubsan, so only the fuzzer and address sanitizers may be used.

git clone https://github.com/kkos/oniguruma.git
pushd oniguruma
autoreconf -vfi
./configure CC=clang CFLAGS="-fsanitize=fuzzer-no-link,address -O2 -g"
make
popd

export ONIG_CFLAGS="-I$PWD/oniguruma/src"
export ONIG_LIBS="-L$PWD/oniguruma/src/.libs -l:libonig.a"

This will link an instrumented libonig statically into the PHP binary.

Reference in New Issue View Git Blame Copy Permalink