Coverage Report

Created: 2025-12-14 06:09

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/sapi/fuzzer/fuzzer-execute-common.h
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Nikita Popov <nikic@php.net>                                |
14
   +----------------------------------------------------------------------+
15
 */
16
17
#include <main/php.h>
18
19
#if defined(__FreeBSD__)
20
# include <sys/sysctl.h>
21
#endif
22
23
#include "fuzzer.h"
24
#include "fuzzer-sapi.h"
25
#include "zend_exceptions.h"
26
#include "zend_vm.h"
27
28
57.8k
#define FILE_NAME "/tmp/fuzzer.php"
29
82.0k
#define MAX_STEPS 1000
30
358k
#define MAX_SIZE (8 * 1024)
31
4.12M
#define ZEND_VM_ENTER_BIT 1ULL
32
33
static uint32_t steps_left;
34
static bool bailed_out = false;
35
36
5.73k
static zend_always_inline void fuzzer_bailout(void) {
37
5.73k
  bailed_out = true;
38
5.73k
  zend_bailout();
39
5.73k
}
40
41
4.57M
static zend_always_inline void fuzzer_step(void) {
42
4.57M
  if (--steps_left == 0) {
43
    /* Reset steps before bailing out, so code running after bailout (e.g. in
44
     * destructors) will get another MAX_STEPS, rather than UINT32_MAX steps. */
45
1.24k
    steps_left = MAX_STEPS;
46
1.24k
    fuzzer_bailout();
47
1.24k
  }
48
4.57M
}
49
50
static void (*orig_execute_ex)(zend_execute_data *execute_data);
51
52
93.9k
static void fuzzer_execute_ex(zend_execute_data *execute_data) {
53
54
93.9k
#ifdef ZEND_CHECK_STACK_LIMIT
55
93.9k
  if (UNEXPECTED(zend_call_stack_overflowed(EG(stack_limit)))) {
56
0
    zend_call_stack_size_error();
57
    /* No opline was executed before exception */
58
0
    EG(opline_before_exception) = NULL;
59
    /* Fall through to handle exception below. */
60
0
  }
61
93.9k
#endif /* ZEND_CHECK_STACK_LIMIT */
62
63
93.9k
  const zend_op *opline = EX(opline);
64
65
4.15M
  while (1) {
66
4.09M
    fuzzer_step();
67
4.09M
    opline = ((zend_vm_opcode_handler_func_t) zend_get_opcode_handler_func(opline))(execute_data, opline);
68
4.09M
    if ((uintptr_t) opline & ZEND_VM_ENTER_BIT) {
69
34.7k
      opline = (const zend_op *) ((uintptr_t) opline & ~ZEND_VM_ENTER_BIT);
70
34.7k
      if (opline) {
71
0
        execute_data = EG(current_execute_data);
72
34.7k
      } else {
73
34.7k
        return;
74
34.7k
      }
75
34.7k
    }
76
4.09M
  }
77
93.9k
}
78
79
static zend_op_array *(*orig_compile_string)(
80
    zend_string *source_string, const char *filename, zend_compile_position position);
81
82
static zend_op_array *fuzzer_compile_string(
83
2.27k
    zend_string *str, const char *filename, zend_compile_position position) {
84
2.27k
  if (ZSTR_LEN(str) > MAX_SIZE) {
85
    /* Avoid compiling huge inputs via eval(). */
86
3
    fuzzer_bailout();
87
3
  }
88
89
2.27k
  return orig_compile_string(str, filename, position);
90
2.27k
}
91
92
static void (*orig_execute_internal)(zend_execute_data *execute_data, zval *return_value);
93
94
478k
static void fuzzer_execute_internal(zend_execute_data *execute_data, zval *return_value) {
95
478k
  fuzzer_step();
96
97
478k
  uint32_t num_args = ZEND_CALL_NUM_ARGS(execute_data);
98
1.10M
  for (uint32_t i = 0; i < num_args; i++) {
99
    /* Some internal functions like preg_replace() may be slow on large inputs.
100
     * Limit the maximum size of string inputs. */
101
626k
    zval *arg = ZEND_CALL_VAR_NUM(execute_data, i);
102
626k
    if (Z_TYPE_P(arg) == IS_STRING && Z_STRLEN_P(arg) > MAX_SIZE) {
103
4.48k
      fuzzer_bailout();
104
4.48k
    }
105
626k
  }
106
107
478k
  orig_execute_internal(execute_data, return_value);
108
478k
}
109
110
2
static void fuzzer_init_php_for_execute(const char *extra_ini) {
111
  /* Compilation will often trigger fatal errors.
112
   * Use tracked allocation mode to avoid leaks in that case. */
113
2
  putenv("USE_TRACKED_ALLOC=1");
114
115
  /* Just like other SAPIs, ignore SIGPIPEs. */
116
2
  signal(SIGPIPE, SIG_IGN);
117
118
2
  fuzzer_init_php(extra_ini);
119
120
2
  orig_execute_ex = zend_execute_ex;
121
2
  zend_execute_ex = fuzzer_execute_ex;
122
2
  orig_execute_internal = zend_execute_internal ? zend_execute_internal : execute_internal;
123
2
  zend_execute_internal = fuzzer_execute_internal;
124
2
  orig_compile_string = zend_compile_string;
125
2
  zend_compile_string = fuzzer_compile_string;
126
2
}
127
128
2
ZEND_ATTRIBUTE_UNUSED static void create_file(void) {
129
  /* For opcache_invalidate() to work, the dummy file name used for fuzzing needs to
130
   * actually exist. */
131
2
  FILE *f = fopen(FILE_NAME, "w");
132
2
  fclose(f);
133
2
}
134
135
40.4k
ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) {
136
40.4k
  steps_left = MAX_STEPS;
137
40.4k
  zend_exception_save();
138
40.4k
  zval retval, args[2];
139
40.4k
  zend_function *fn = zend_hash_str_find_ptr(CG(function_table), ZEND_STRL("opcache_invalidate"));
140
40.4k
  ZEND_ASSERT(fn != NULL);
141
142
40.4k
  ZVAL_STRING(&args[0], FILE_NAME);
143
40.4k
  ZVAL_TRUE(&args[1]);
144
40.4k
  zend_call_known_function(fn, NULL, NULL, &retval, 2, args, NULL);
145
40.4k
  ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE);
146
40.4k
  zval_ptr_dtor(&args[0]);
147
40.4k
  zval_ptr_dtor(&retval);
148
40.4k
  zend_exception_restore();
149
40.4k
}