php-src

mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00

History

Nikita Popov 4643c0aac5 Add additional entries to unserialize corpus These are useful to seed typed property fuzzing.		2020-11-30 14:32:07 +01:00
..
corpus	Add additional entries to unserialize corpus	2020-11-30 14:32:07 +01:00
dict	Move scripts out of corpus/ directory	2019-09-16 20:18:29 +02:00
config.m4	Add experimental "execute" fuzzer	2020-08-27 13:06:24 +02:00
fuzzer-execute.c	Reduce input size limit in execute fuzzer	2020-09-07 22:58:34 +02:00
fuzzer-exif.c	Create memory stream in exif fuzzer	2020-02-19 10:24:12 +01:00
fuzzer-json.c	Remove json checks in fuzzer SAPI	2020-05-29 12:08:45 +02:00
fuzzer-mbstring.c	Fix mbstring fuzzer	2020-09-11 18:35:16 +02:00
fuzzer-parser.c	Add experimental "execute" fuzzer	2020-08-27 13:06:24 +02:00
fuzzer-sapi.c	Disable InfiniteIterator class while fuzzing	2020-09-04 10:59:55 +02:00
fuzzer-sapi.h	Add experimental "execute" fuzzer	2020-08-27 13:06:24 +02:00
fuzzer-unserialize.c	Extract some common fuzzer code	2020-06-30 15:05:02 +02:00
fuzzer-unserializehash.c	Extract some common fuzzer code	2020-06-30 15:05:02 +02:00
fuzzer.h	Remove mention of PHP major version in Copyright headers	2019-09-25 14:51:43 +02:00
generate_all.php	Generate execute corpus in generate_all.php	2020-08-27 16:34:36 +02:00
generate_execute_corpus.php	Reduce input size limit in execute fuzzer	2020-09-07 22:58:34 +02:00
generate_parser_corpus.php	Reduce size limit in parser fuzzer	2019-11-07 21:20:34 +01:00
generate_unserialize_dict.php	Move scripts out of corpus/ directory	2019-09-16 20:18:29 +02:00
generate_unserializehash_corpus.php	Add unserializehash fuzzer.	2020-06-30 14:30:33 +02:00
json.dict	Add fuzzer SAPIs to the core	2019-09-16 16:04:09 +02:00
Makefile.frag	Add experimental "execute" fuzzer	2020-08-27 13:06:24 +02:00
README.md	Generate execute corpus in generate_all.php	2020-08-27 16:34:36 +02:00

README.md

Fuzzing SAPI for PHP

The following ./configure options can be used to enable the fuzzing SAPI, as well as all availablefuzzers. If you don't build the exif/json/mbstring extensions, fuzzers for these extensions will not be built.

CC=clang CXX=clang++ \
./configure \
    --disable-all \
    --enable-fuzzer \
    --with-pic \
    --enable-debug-assertions \
    --enable-exif \
    --enable-mbstring

The --with-pic option is required to avoid a linking failure. The --enable-debug-assertions option can be used to enable debug assertions despite the use of a release build.

You will need a recent version of clang that supports the -fsanitize=fuzzer-no-link option.

When running make it creates these binaries in sapi/fuzzer/:

php-fuzz-parser: Fuzzing language parser and compiler
php-fuzz-unserialize: Fuzzing unserialize() function
php-fuzz-unserializehash: Fuzzing unserialize() for HashContext objects
php-fuzz-json: Fuzzing JSON parser (requires --enable-json)
php-fuzz-exif: Fuzzing exif_read_data() function (requires --enable-exif)
php-fuzz-mbstring: Fuzzing mb_ereg[i]() (requires --enable-mbstring)
php-fuzz-execute: Fuzzing the executor

Some fuzzers have a seed corpus in sapi/fuzzer/corpus. You can use it as follows:

cp -r sapi/fuzzer/corpus/exif ./my-exif-corpus
sapi/fuzzer/php-fuzz-exif ./my-exif-corpus

For the unserialize fuzzer, a dictionary of internal classes should be generated first:

sapi/cli/php sapi/fuzzer/generate_unserialize_dict.php
cp -r sapi/fuzzer/corpus/unserialize ./my-unserialize-corpus
sapi/fuzzer/php-fuzz-unserialize -dict=$PWD/sapi/fuzzer/dict/unserialize ./my-unserialize-corpus

For the unserializehash fuzzer, generate a corpus of initial hash serializations:

sapi/cli/php sapi/fuzzer/generate_unserializehash_corpus.php
cp -r sapi/fuzzer/corpus/unserializehash ./my-unserialize-corpus
sapi/fuzzer/php-fuzz-unserializehash ./my-unserialize-corpus

For the parser fuzzer, a corpus may be generated from Zend test files:

sapi/cli/php sapi/fuzzer/generate_parser_corpus.php
mkdir ./my-parser-corpus
sapi/fuzzer/php-fuzz-parser -merge=1 ./my-parser-corpus sapi/fuzzer/corpus/parser
sapi/fuzzer/php-fuzz-parser -only_ascii=1 ./my-parser-corpus

For the mbstring fuzzer, you may want to build the libonig dependency with instrumentation. At this time, libonig is not clean under ubsan, so only the fuzzer and address sanitizers may be used.

git clone https://github.com/kkos/oniguruma.git
pushd oniguruma
autoreconf -vfi
./configure CC=clang CFLAGS="-fsanitize=fuzzer-no-link,address -O2 -g"
make
popd

export ONIG_CFLAGS="-I$PWD/oniguruma/src"
export ONIG_LIBS="-L$PWD/oniguruma/src/.libs -l:libonig.a"

This will link an instrumented libonig statically into the PHP binary.