/src/php-src/sapi/fuzzer/fuzzer-sapi.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Johannes Schlüter <johanes@php.net>                         |
   |          Stanislav Malyshev <stas@php.net>                           |
   +----------------------------------------------------------------------+
 */

#include <main/php.h>
#include <main/php_main.h>
#include <main/SAPI.h>
#include <ext/standard/info.h>
#include <ext/standard/php_var.h>
#include <main/php_variables.h>
#include <zend_exceptions.h>

#ifdef __SANITIZE_ADDRESS__
# include "sanitizer/lsan_interface.h"
#endif

#include "fuzzer.h"
#include "fuzzer-sapi.h"

static const char HARDCODED_INI[] =
  "html_errors=0\n"
  "implicit_flush=1\n"
  "output_buffering=0\n"
  "error_reporting=0\n"
  /* Let the timeout be enforced by libfuzzer, not PHP. */
  "max_execution_time=0\n"
  /* Reduce oniguruma limits to speed up fuzzing */
  "mbstring.regex_stack_limit=10000\n"
  "mbstring.regex_retry_limit=10000\n"
  /* For the "execute" fuzzer disable some functions that are likely to have
   * undesirable consequences (shell execution, file system writes). */
  "allow_url_include=0\n"
  "allow_url_fopen=0\n"
  "open_basedir=/tmp\n"
  "disable_functions=dl,mail,mb_send_mail,set_error_handler"
  ",shell_exec,exec,system,proc_open,popen,passthru,pcntl_exec"
  ",chdir,chgrp,chmod,chown,copy,file_put_contents,lchgrp,lchown,link,mkdir"
  ",move_uploaded_file,rename,rmdir,symlink,tempname,touch,unlink,fopen"
  /* Networking code likes to wait and wait. */
  ",fsockopen,pfsockopen"
  ",stream_socket_pair,stream_socket_client,stream_socket_server"
  /* crypt() can be very slow. */
  ",crypt"
  /* openlog() has a known memory-management issue. */
  ",openlog"
;

static int startup(sapi_module_struct *sapi_module)
{
  return php_module_startup(sapi_module, NULL);
}

static size_t ub_write(const char *str, size_t str_length)
{
  /* quiet */
  return str_length;
}

static void fuzzer_flush(void *server_context)
{
  /* quiet */
}

static void send_header(sapi_header_struct *sapi_header, void *server_context)
{
}

static char* read_cookies(void)
{
  /* TODO: fuzz these! */
  return NULL;
}

static void register_variables(zval *track_vars_array)
{
  php_import_environment_variables(track_vars_array);
}

static void log_message(const char *message, int level)
{
}


static sapi_module_struct fuzzer_module = {
  "fuzzer",               /* name */
  "clang fuzzer", /* pretty name */

  startup,             /* startup */
  php_module_shutdown_wrapper,   /* shutdown */

  NULL,                          /* activate */
  NULL,                          /* deactivate */

  ub_write,            /* unbuffered write */
  fuzzer_flush,               /* flush */
  NULL,                          /* get uid */
  NULL,                          /* getenv */

  php_error,                     /* error handler */

  NULL,                          /* header handler */
  NULL,                          /* send headers handler */
  send_header,         /* send header handler */

  NULL,                          /* read POST data */
  read_cookies,        /* read Cookies */

  register_variables,  /* register server variables */
  log_message,         /* Log message */
  NULL,                          /* Get request time */
  NULL,                          /* Child terminate */

  STANDARD_SAPI_MODULE_PROPERTIES
};

static ZEND_COLD zend_function *disable_class_get_constructor_handler(zend_object *obj) /* {{{ */
{
  zend_throw_error(NULL, "Cannot construct class %s, as it is disabled", ZSTR_VAL(obj->ce->name));
  return NULL;
}

static void fuzzer_disable_classes(void)
{
  /* Overwrite built-in constructor for InfiniteIterator as it
   * can cause long loops that bypass the executor step limit. */
  /* Lowercase as this is how the CE as stored */
  zend_class_entry *InfiniteIterator_class = zend_hash_str_find_ptr(CG(class_table), "infiniteiterator", strlen("infiniteiterator"));

  static zend_object_handlers handlers;
  memcpy(&handlers, InfiniteIterator_class->default_object_handlers, sizeof(handlers));
  handlers.get_constructor = disable_class_get_constructor_handler;
  InfiniteIterator_class->default_object_handlers = &handlers;
}

int fuzzer_init_php(const char *extra_ini)
{
#ifdef __SANITIZE_ADDRESS__
  /* We're going to leak all the memory allocated during startup,
   * so disable lsan temporarily. */
  __lsan_disable();
#endif

  sapi_startup(&fuzzer_module);
  fuzzer_module.phpinfo_as_text = 1;

  size_t ini_len = sizeof(HARDCODED_INI);
  size_t extra_ini_len = extra_ini ? strlen(extra_ini) : 0;
  if (extra_ini) {
    ini_len += extra_ini_len + 1;
  }
  char *p = malloc(ini_len + 1);
  fuzzer_module.ini_entries = p;
  p = zend_mempcpy(p, HARDCODED_INI, sizeof(HARDCODED_INI) - 1);
  if (extra_ini) {
    *p++ = '\n';
    p = zend_mempcpy(p, extra_ini, extra_ini_len);
  }
  *p = '\0';

  /*
   * TODO: we might want to test both Zend and malloc MM, but testing with malloc
   * is more likely to find bugs, so use that for now.
   */
  putenv("USE_ZEND_ALLOC=0");

  if (fuzzer_module.startup(&fuzzer_module)==FAILURE) {
    return FAILURE;
  }

#ifdef __SANITIZE_ADDRESS__
  __lsan_enable();
#endif

  return SUCCESS;
}

int fuzzer_request_startup(void)
{
  if (php_request_startup() == FAILURE) {
    php_module_shutdown();
    return FAILURE;
  }

#ifdef ZEND_SIGNALS
  /* Some signal handlers will be overridden,
   * don't complain about them during shutdown. */
  SIGG(check) = 0;
#endif

  fuzzer_disable_classes();

  return SUCCESS;
}

void fuzzer_request_shutdown(void)
{
  zend_try {
    /* Destroy thrown exceptions. This does not happen as part of request shutdown. */
    if (EG(exception)) {
      zend_object_release(EG(exception));
      EG(exception) = NULL;
    }

    /* Some fuzzers (like unserialize) may create circular structures. Make sure we free them.
     * Two calls are performed to handle objects with destructors. */
    zend_gc_collect_cycles();
    zend_gc_collect_cycles();
  } zend_end_try();

  zend_try {
    php_request_shutdown(NULL);
  } zend_end_try();
}

/* Set up a dummy stack frame so that exceptions may be thrown. */
void fuzzer_setup_dummy_frame(void)
{
  static zend_execute_data execute_data;
  static zend_function func;

  memset(&execute_data, 0, sizeof(zend_execute_data));
  memset(&func, 0, sizeof(zend_function));

  func.type = ZEND_INTERNAL_FUNCTION;
  func.common.function_name = ZSTR_EMPTY_ALLOC();
  execute_data.func = &func;
  EG(current_execute_data) = &execute_data;
}

void fuzzer_set_ini_file(const char *file)
{
  if (fuzzer_module.php_ini_path_override) {
    free(fuzzer_module.php_ini_path_override);
  }
  fuzzer_module.php_ini_path_override = strdup(file);
}


int fuzzer_shutdown_php(void)
{
  php_module_shutdown();
  sapi_shutdown();

  free((void *)fuzzer_module.ini_entries);
  return SUCCESS;
}

int fuzzer_do_request_from_buffer(
    char *filename, const char *data, size_t data_len, bool execute,
    void (*before_shutdown)(void))
{
  int retval = FAILURE; /* failure by default */

  SG(options) |= SAPI_OPTION_NO_CHDIR;
  SG(request_info).argc=0;
  SG(request_info).argv=NULL;

  if (fuzzer_request_startup() == FAILURE) {
    return FAILURE;
  }

  // Commented out to avoid leaking the header callback.
  //SG(headers_sent) = 1;
  //SG(request_info).no_headers = 1;
  php_register_variable("PHP_SELF", filename, NULL);

  zend_first_try {
    zend_file_handle file_handle;
    zend_stream_init_filename(&file_handle, filename);
    file_handle.primary_script = 1;
    file_handle.buf = emalloc(data_len + ZEND_MMAP_AHEAD);
    memcpy(file_handle.buf, data, data_len);
    memset(file_handle.buf + data_len, 0, ZEND_MMAP_AHEAD);
    file_handle.len = data_len;
    /* Avoid ZEND_HANDLE_FILENAME for opcache. */
    file_handle.type = ZEND_HANDLE_STREAM;

    zend_op_array *op_array = zend_compile_file(&file_handle, ZEND_REQUIRE);
    zend_destroy_file_handle(&file_handle);
    if (op_array) {
      if (execute) {
        zend_execute(op_array, NULL);
      }
      zend_destroy_static_vars(op_array);
      destroy_op_array(op_array);
      efree(op_array);
    }
  } zend_end_try();

  CG(compiled_filename) = NULL; /* ??? */
  if (before_shutdown) {
    zend_try {
      before_shutdown();
    } zend_end_try();
  }
  fuzzer_request_shutdown();

  return (retval == SUCCESS) ? SUCCESS : FAILURE;
}

// Call named PHP function with N zval arguments
void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) {
  zval retval;

  zend_function *fn = zend_hash_str_find_ptr(CG(function_table), func_name, strlen(func_name));
  ZEND_ASSERT(fn != NULL);

  ZVAL_UNDEF(&retval);
  zend_call_known_function(fn, NULL, NULL, &retval, nargs, args, NULL);

  // TODO: check result?
  /* to ensure retval is not broken */
  php_var_dump(&retval, 0);

  /* cleanup */
  zval_ptr_dtor(&retval);
}

// Call named PHP function with N string arguments
void fuzzer_call_php_func(const char *func_name, int nargs, char **params) {
  zval args[nargs];
  int i;

  for(i=0;i<nargs;i++) {
    ZVAL_STRING(&args[i], params[i]);
  }

  fuzzer_call_php_func_zval(func_name, nargs, args);

  for(i=0;i<nargs;i++) {
    zval_ptr_dtor(&args[i]);
    ZVAL_UNDEF(&args[i]);
  }
}

Coverage Report

Created: 2025-09-27 06:26

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Johannes Schlüter <johanes@php.net> \|
14		\| Stanislav Malyshev <stas@php.net> \|
15		+----------------------------------------------------------------------+
16		*/
17
18		#include <main/php.h>
19		#include <main/php_main.h>
20		#include <main/SAPI.h>
21		#include <ext/standard/info.h>
22		#include <ext/standard/php_var.h>
23		#include <main/php_variables.h>
24		#include <zend_exceptions.h>
25
26		#ifdef __SANITIZE_ADDRESS__
27		# include "sanitizer/lsan_interface.h"
28		#endif
29
30		#include "fuzzer.h"
31		#include "fuzzer-sapi.h"
32
33		static const char HARDCODED_INI[] =
34		"html_errors=0\n"
35		"implicit_flush=1\n"
36		"output_buffering=0\n"
37		"error_reporting=0\n"
38		/* Let the timeout be enforced by libfuzzer, not PHP. */
39		"max_execution_time=0\n"
40		/* Reduce oniguruma limits to speed up fuzzing */
41		"mbstring.regex_stack_limit=10000\n"
42		"mbstring.regex_retry_limit=10000\n"
43		/* For the "execute" fuzzer disable some functions that are likely to have
44		* undesirable consequences (shell execution, file system writes). */
45		"allow_url_include=0\n"
46		"allow_url_fopen=0\n"
47		"open_basedir=/tmp\n"
48		"disable_functions=dl,mail,mb_send_mail,set_error_handler"
49		",shell_exec,exec,system,proc_open,popen,passthru,pcntl_exec"
50		",chdir,chgrp,chmod,chown,copy,file_put_contents,lchgrp,lchown,link,mkdir"
51		",move_uploaded_file,rename,rmdir,symlink,tempname,touch,unlink,fopen"
52		/* Networking code likes to wait and wait. */
53		",fsockopen,pfsockopen"
54		",stream_socket_pair,stream_socket_client,stream_socket_server"
55		/* crypt() can be very slow. */
56		",crypt"
57		/* openlog() has a known memory-management issue. */
58		",openlog"
59		;
60
61		static int startup(sapi_module_struct *sapi_module)
62	16	{
63	16	return php_module_startup(sapi_module, NULL);
64	16	}
65
66		static size_t ub_write(const char *str, size_t str_length)
67	50.7M	{
68		/* quiet */
69	50.7M	return str_length;
70	50.7M	}
71
72		static void fuzzer_flush(void *server_context)
73	50.7M	{
74		/* quiet */
75	50.7M	}
76
77		static void send_header(sapi_header_struct sapi_header, void server_context)
78	1.11M	{
79	1.11M	}
80
81		static char* read_cookies(void)
82	0	{
83		/* TODO: fuzz these! */
84	0	return NULL;
85	0	}
86
87		static void register_variables(zval *track_vars_array)
88	55	{
89	55	php_import_environment_variables(track_vars_array);
90	55	}
91
92		static void log_message(const char *message, int level)
93	12	{
94	12	}
95
96
97		static sapi_module_struct fuzzer_module = {
98		"fuzzer", /* name */
99		"clang fuzzer", /* pretty name */
100
101		startup, /* startup */
102		php_module_shutdown_wrapper, /* shutdown */
103
104		NULL, /* activate */
105		NULL, /* deactivate */
106
107		ub_write, /* unbuffered write */
108		fuzzer_flush, /* flush */
109		NULL, /* get uid */
110		NULL, /* getenv */
111
112		php_error, /* error handler */
113
114		NULL, /* header handler */
115		NULL, /* send headers handler */
116		send_header, /* send header handler */
117
118		NULL, /* read POST data */
119		read_cookies, /* read Cookies */
120
121		register_variables, /* register server variables */
122		log_message, /* Log message */
123		NULL, /* Get request time */
124		NULL, /* Child terminate */
125
126		STANDARD_SAPI_MODULE_PROPERTIES
127		};
128
129		static ZEND_COLD zend_function disable_class_get_constructor_handler(zend_object obj) /* {{{ */
130	11	{
131	11	zend_throw_error(NULL, "Cannot construct class %s, as it is disabled", ZSTR_VAL(obj->ce->name));
132	11	return NULL;
133	11	}
134
135		static void fuzzer_disable_classes(void)
136	278k	{
137		/* Overwrite built-in constructor for InfiniteIterator as it
138		* can cause long loops that bypass the executor step limit. */
139		/* Lowercase as this is how the CE as stored */
140	278k	zend_class_entry *InfiniteIterator_class = zend_hash_str_find_ptr(CG(class_table), "infiniteiterator", strlen("infiniteiterator"));
141
142	278k	static zend_object_handlers handlers;
143	278k	memcpy(&handlers, InfiniteIterator_class->default_object_handlers, sizeof(handlers));
144	278k	handlers.get_constructor = disable_class_get_constructor_handler;
145	278k	InfiniteIterator_class->default_object_handlers = &handlers;
146	278k	}
147
148		int fuzzer_init_php(const char *extra_ini)
149	16	{
150		#ifdef __SANITIZE_ADDRESS__
151		/* We're going to leak all the memory allocated during startup,
152		* so disable lsan temporarily. */
153		__lsan_disable();
154		#endif
155
156	16	sapi_startup(&fuzzer_module);
157	16	fuzzer_module.phpinfo_as_text = 1;
158
159	16	size_t ini_len = sizeof(HARDCODED_INI);
160	16	size_t extra_ini_len = extra_ini ? strlen(extra_ini) : 0;
161	16	if (extra_ini) {
162	4	ini_len += extra_ini_len + 1;
163	4	}
164	16	char *p = malloc(ini_len + 1);
165	16	fuzzer_module.ini_entries = p;
166	16	p = zend_mempcpy(p, HARDCODED_INI, sizeof(HARDCODED_INI) - 1);
167	16	if (extra_ini) {
168	4	*p++ = '\n';
169	4	p = zend_mempcpy(p, extra_ini, extra_ini_len);
170	4	}
171	16	*p = '\0';
172
173		/*
174		* TODO: we might want to test both Zend and malloc MM, but testing with malloc
175		* is more likely to find bugs, so use that for now.
176		*/
177	16	putenv("USE_ZEND_ALLOC=0");
178
179	16	if (fuzzer_module.startup(&fuzzer_module)==FAILURE) {
180	0	return FAILURE;
181	0	}
182
183		#ifdef __SANITIZE_ADDRESS__
184		__lsan_enable();
185		#endif
186
187	16	return SUCCESS;
188	16	}
189
190		int fuzzer_request_startup(void)
191	278k	{
192	278k	if (php_request_startup() == FAILURE) {
193	0	php_module_shutdown();
194	0	return FAILURE;
195	0	}
196
197	278k	#ifdef ZEND_SIGNALS
198		/* Some signal handlers will be overridden,
199		* don't complain about them during shutdown. */
200	278k	SIGG(check) = 0;
201	278k	#endif
202
203	278k	fuzzer_disable_classes();
204
205	278k	return SUCCESS;
206	278k	}
207
208		void fuzzer_request_shutdown(void)
209	265k	{
210	265k	zend_try {
211		/* Destroy thrown exceptions. This does not happen as part of request shutdown. */
212	265k	if (EG(exception)) {
213	145k	zend_object_release(EG(exception));
214	145k	EG(exception) = NULL;
215	145k	}
216
217		/* Some fuzzers (like unserialize) may create circular structures. Make sure we free them.
218		* Two calls are performed to handle objects with destructors. */
219	265k	zend_gc_collect_cycles();
220	265k	zend_gc_collect_cycles();
221	265k	} zend_end_try();
222
223	265k	zend_try {
224	265k	php_request_shutdown(NULL);
225	265k	} zend_end_try();
226	265k	}
227
228		/* Set up a dummy stack frame so that exceptions may be thrown. */
229		void fuzzer_setup_dummy_frame(void)
230	91.6k	{
231	91.6k	static zend_execute_data execute_data;
232	91.6k	static zend_function func;
233
234	91.6k	memset(&execute_data, 0, sizeof(zend_execute_data));
235	91.6k	memset(&func, 0, sizeof(zend_function));
236
237	91.6k	func.type = ZEND_INTERNAL_FUNCTION;
238	91.6k	func.common.function_name = ZSTR_EMPTY_ALLOC();
239	91.6k	execute_data.func = &func;
240	91.6k	EG(current_execute_data) = &execute_data;
241	91.6k	}
242
243		void fuzzer_set_ini_file(const char *file)
244	0	{
245	0	if (fuzzer_module.php_ini_path_override) {
246	0	free(fuzzer_module.php_ini_path_override);
247	0	}
248	0	fuzzer_module.php_ini_path_override = strdup(file);
249	0	}
250
251
252		int fuzzer_shutdown_php(void)
253	0	{
254	0	php_module_shutdown();
255	0	sapi_shutdown();
256
257	0	free((void *)fuzzer_module.ini_entries);
258	0	return SUCCESS;
259	0	}
260
261		int fuzzer_do_request_from_buffer(
262		char filename, const char data, size_t data_len, bool execute,
263		void (*before_shutdown)(void))
264	174k	{
265	174k	int retval = FAILURE; /* failure by default */
266
267	174k	SG(options) \|= SAPI_OPTION_NO_CHDIR;
268	174k	SG(request_info).argc=0;
269	174k	SG(request_info).argv=NULL;
270
271	174k	if (fuzzer_request_startup() == FAILURE) {
272	0	return FAILURE;
273	0	}
274
275		// Commented out to avoid leaking the header callback.
276		//SG(headers_sent) = 1;
277		//SG(request_info).no_headers = 1;
278	174k	php_register_variable("PHP_SELF", filename, NULL);
279
280	174k	zend_first_try {
281	174k	zend_file_handle file_handle;
282	174k	zend_stream_init_filename(&file_handle, filename);
283	174k	file_handle.primary_script = 1;
284	174k	file_handle.buf = emalloc(data_len + ZEND_MMAP_AHEAD);
285	174k	memcpy(file_handle.buf, data, data_len);
286	174k	memset(file_handle.buf + data_len, 0, ZEND_MMAP_AHEAD);
287	174k	file_handle.len = data_len;
288		/* Avoid ZEND_HANDLE_FILENAME for opcache. */
289	174k	file_handle.type = ZEND_HANDLE_STREAM;
290
291	174k	zend_op_array *op_array = zend_compile_file(&file_handle, ZEND_REQUIRE);
292	174k	zend_destroy_file_handle(&file_handle);
293	174k	if (op_array) {
294	125k	if (execute) {
295	105k	zend_execute(op_array, NULL);
296	105k	}
297	125k	zend_destroy_static_vars(op_array);
298	125k	destroy_op_array(op_array);
299	125k	efree(op_array);
300	125k	}
301	174k	} zend_end_try();
302
303	174k	CG(compiled_filename) = NULL; /* ??? */
304	174k	if (before_shutdown) {
305	73.8k	zend_try {
306	73.8k	before_shutdown();
307	73.8k	} zend_end_try();
308	73.8k	}
309	174k	fuzzer_request_shutdown();
310
311	174k	return (retval == SUCCESS) ? SUCCESS : FAILURE;
312	174k	}
313
314		// Call named PHP function with N zval arguments
315	10.7k	void fuzzer_call_php_func_zval(const char func_name, int nargs, zval args) {
316	10.7k	zval retval;
317
318	10.7k	zend_function *fn = zend_hash_str_find_ptr(CG(function_table), func_name, strlen(func_name));
319	10.7k	ZEND_ASSERT(fn != NULL);
320
321	10.7k	ZVAL_UNDEF(&retval);
322	10.7k	zend_call_known_function(fn, NULL, NULL, &retval, nargs, args, NULL);
323
324		// TODO: check result?
325		/* to ensure retval is not broken */
326	10.7k	php_var_dump(&retval, 0);
327
328		/* cleanup */
329	10.7k	zval_ptr_dtor(&retval);
330	10.7k	}
331
332		// Call named PHP function with N string arguments
333	0	void fuzzer_call_php_func(const char func_name, int nargs, char *params) {
334	0	zval args[nargs];
335	0	int i;
336
337	0	for(i=0;i<nargs;i++) {
338	0	ZVAL_STRING(&args[i], params[i]);
339	0	}
340
341	0	fuzzer_call_php_func_zval(func_name, nargs, args);
342
343	0	for(i=0;i<nargs;i++) {
344	0	zval_ptr_dtor(&args[i]);
345	0	ZVAL_UNDEF(&args[i]);
346	0	}
347	0	}