Coverage Report

Created: 2025-12-14 06:05

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/sapi/fuzzer/fuzzer-execute-common.h
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Nikita Popov <nikic@php.net>                                |
14
   +----------------------------------------------------------------------+
15
 */
16
17
#include <main/php.h>
18
19
#if defined(__FreeBSD__)
20
# include <sys/sysctl.h>
21
#endif
22
23
#include "fuzzer.h"
24
#include "fuzzer-sapi.h"
25
#include "zend_exceptions.h"
26
#include "zend_vm.h"
27
28
50.4k
#define FILE_NAME "/tmp/fuzzer.php"
29
50.6k
#define MAX_STEPS 1000
30
71.1k
#define MAX_SIZE (8 * 1024)
31
389k
#define ZEND_VM_ENTER_BIT 1ULL
32
33
static uint32_t steps_left;
34
static bool bailed_out = false;
35
36
282
static zend_always_inline void fuzzer_bailout(void) {
37
282
  bailed_out = true;
38
282
  zend_bailout();
39
282
}
40
41
368k
static zend_always_inline void fuzzer_step(void) {
42
368k
  if (--steps_left == 0) {
43
    /* Reset steps before bailing out, so code running after bailout (e.g. in
44
     * destructors) will get another MAX_STEPS, rather than UINT32_MAX steps. */
45
259
    steps_left = MAX_STEPS;
46
259
    fuzzer_bailout();
47
259
  }
48
368k
}
49
50
static void (*orig_execute_ex)(zend_execute_data *execute_data);
51
52
58.1k
static void fuzzer_execute_ex(zend_execute_data *execute_data) {
53
54
58.1k
#ifdef ZEND_CHECK_STACK_LIMIT
55
58.1k
  if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) {
56
0
    zend_call_stack_size_error();
57
    /* No opline was executed before exception */
58
0
    EG(opline_before_exception) = NULL;
59
    /* Fall through to handle exception below. */
60
0
  }
61
58.1k
#endif /* ZEND_CHECK_STACK_LIMIT */
62
63
58.1k
  const zend_op *opline = EX(opline);
64
65
346k
  while (1) {
66
339k
    fuzzer_step();
67
339k
    opline = ((zend_vm_opcode_handler_func_t) zend_get_opcode_handler_func(opline))(execute_data, opline);
68
339k
    if ((uintptr_t) opline & ZEND_VM_ENTER_BIT) {
69
50.5k
      opline = (const zend_op *) ((uintptr_t) opline & ~ZEND_VM_ENTER_BIT);
70
50.5k
      if (opline) {
71
0
        execute_data = EG(current_execute_data);
72
50.5k
      } else {
73
50.5k
        return;
74
50.5k
      }
75
50.5k
    }
76
339k
  }
77
58.1k
}
78
79
static zend_op_array *(*orig_compile_string)(
80
    zend_string *source_string, const char *filename, zend_compile_position position);
81
82
static zend_op_array *fuzzer_compile_string(
83
41
    zend_string *str, const char *filename, zend_compile_position position) {
84
41
  if (ZSTR_LEN(str) > MAX_SIZE) {
85
    /* Avoid compiling huge inputs via eval(). */
86
0
    fuzzer_bailout();
87
0
  }
88
89
41
  return orig_compile_string(str, filename, position);
90
41
}
91
92
static void (*orig_execute_internal)(zend_execute_data *execute_data, zval *return_value);
93
94
29.2k
static void fuzzer_execute_internal(zend_execute_data *execute_data, zval *return_value) {
95
29.2k
  fuzzer_step();
96
97
29.2k
  uint32_t num_args = ZEND_CALL_NUM_ARGS(execute_data);
98
56.2k
  for (uint32_t i = 0; i < num_args; i++) {
99
    /* Some internal functions like preg_replace() may be slow on large inputs.
100
     * Limit the maximum size of string inputs. */
101
27.0k
    zval *arg = ZEND_CALL_VAR_NUM(execute_data, i);
102
27.0k
    if (Z_TYPE_P(arg) == IS_STRING && Z_STRLEN_P(arg) > MAX_SIZE) {
103
23
      fuzzer_bailout();
104
23
    }
105
27.0k
  }
106
107
29.2k
  orig_execute_internal(execute_data, return_value);
108
29.2k
}
109
110
2
static void fuzzer_init_php_for_execute(const char *extra_ini) {
111
  /* Compilation will often trigger fatal errors.
112
   * Use tracked allocation mode to avoid leaks in that case. */
113
2
  putenv("USE_TRACKED_ALLOC=1");
114
115
  /* Just like other SAPIs, ignore SIGPIPEs. */
116
2
  signal(SIGPIPE, SIG_IGN);
117
118
2
  fuzzer_init_php(extra_ini);
119
120
2
  orig_execute_ex = zend_execute_ex;
121
2
  zend_execute_ex = fuzzer_execute_ex;
122
2
  orig_execute_internal = zend_execute_internal ? zend_execute_internal : execute_internal;
123
2
  zend_execute_internal = fuzzer_execute_internal;
124
2
  orig_compile_string = zend_compile_string;
125
2
  zend_compile_string = fuzzer_compile_string;
126
2
}
127
128
0
ZEND_ATTRIBUTE_UNUSED static void create_file(void) {
129
0
  /* For opcache_invalidate() to work, the dummy file name used for fuzzing needs to
130
0
   * actually exist. */
131
0
  FILE *f = fopen(FILE_NAME, "w");
132
0
  fclose(f);
133
0
}
134
135
0
ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) {
136
0
  steps_left = MAX_STEPS;
137
0
  zend_exception_save();
138
0
  zval retval, args[2];
139
0
  zend_function *fn = zend_hash_str_find_ptr(CG(function_table), ZEND_STRL("opcache_invalidate"));
140
0
  ZEND_ASSERT(fn != NULL);
141
0
142
0
  ZVAL_STRING(&args[0], FILE_NAME);
143
0
  ZVAL_TRUE(&args[1]);
144
0
  zend_call_known_function(fn, NULL, NULL, &retval, 2, args, NULL);
145
0
  ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE);
146
0
  zval_ptr_dtor(&args[0]);
147
0
  zval_ptr_dtor(&retval);
148
0
  zend_exception_restore();
149
0
}