1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
AC_MSG_CHECKING(for clang fuzzer SAPI)
PHP_ARG_ENABLE([fuzzer],,
[AS_HELP_STRING([--enable-fuzzer],
[Build PHP as clang fuzzing test module (for developers)])],
[no],
[no])
PHP_ARG_ENABLE([fuzzer-msan],,
[AS_HELP_STRING([--enable-fuzzer-msan],
[Enable msan instead of asan/ubsan when fuzzing])],
[no],
[no])
dnl For newer clang versions see https://llvm.org/docs/LibFuzzer.html#fuzzer-usage
dnl for relevant flags.
dnl Macro to define fuzzing target
dnl PHP_FUZZER_TARGET(name, target-var)
dnl
AC_DEFUN([PHP_FUZZER_TARGET], [
PHP_FUZZER_BINARIES="$PHP_FUZZER_BINARIES $SAPI_FUZZER_PATH/php-fuzz-$1"
PHP_SUBST($2)
PHP_ADD_SOURCES_X([sapi/fuzzer],[fuzzer-$1.c],[],$2)
$2="[$]$2 $FUZZER_COMMON_OBJS"
])
if test "$PHP_FUZZER" != "no"; then
AC_MSG_RESULT([yes])
dnl Don't use PHP_REQUIRE_CXX() to avoid unnecessarily pulling in -lstdc++
AC_PROG_CXX
AC_PROG_CXXCPP
PHP_ADD_MAKEFILE_FRAGMENT($abs_srcdir/sapi/fuzzer/Makefile.frag)
SAPI_FUZZER_PATH=sapi/fuzzer
PHP_SUBST(SAPI_FUZZER_PATH)
if test -z "$LIB_FUZZING_ENGINE"; then
FUZZING_LIB="-fsanitize=fuzzer"
FUZZING_CC="$CC"
AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [
CFLAGS="$CFLAGS -fsanitize=fuzzer-no-link"
CXXFLAGS="$CXXFLAGS -fsanitize=fuzzer-no-link"
if test "$PHP_FUZZER_MSAN" = "yes"; then
CFLAGS="$CFLAGS -fsanitize=memory -fsanitize-memory-track-origins"
CXXFLAGS="$CXXFLAGS -fsanitize=memory -fsanitize-memory-track-origins"
else
CFLAGS="$CFLAGS -fsanitize=address"
CXXFLAGS="$CXXFLAGS -fsanitize=address"
dnl Don't include -fundefined in CXXFLAGS, because that would also require linking
dnl with a C++ compiler.
dnl Disable object-size sanitizer, because it is incompatible with our zend_function
dnl union, and this can't be easily fixed.
dnl We need to specify -fno-sanitize-recover=undefined here, otherwise ubsan warnings
dnl will not be considered failures by the fuzzer.
CFLAGS="$CFLAGS -fsanitize=undefined -fno-sanitize=object-size -fno-sanitize-recover=undefined"
fi
],[
AC_MSG_ERROR(Compiler doesn't support -fsanitize=fuzzer-no-link)
])
else
FUZZING_LIB="$LIB_FUZZING_ENGINE"
FUZZING_CC="$CXX -stdlib=libc++"
fi
PHP_SUBST(FUZZING_LIB)
PHP_SUBST(FUZZING_CC)
dnl PHP_SELECT_SAPI(fuzzer-parser, program, $FUZZER_SOURCES, , '$(SAPI_FUZZER_PATH)')
PHP_ADD_BUILD_DIR([sapi/fuzzer])
PHP_FUZZER_BINARIES=""
PHP_BINARIES="$PHP_BINARIES fuzzer"
PHP_INSTALLED_SAPIS="$PHP_INSTALLED_SAPIS fuzzer"
PHP_ADD_SOURCES_X([sapi/fuzzer], [fuzzer-sapi.c], [], FUZZER_COMMON_OBJS)
PHP_FUZZER_TARGET([parser], PHP_FUZZER_PARSER_OBJS)
PHP_FUZZER_TARGET([execute], PHP_FUZZER_EXECUTE_OBJS)
PHP_FUZZER_TARGET([unserialize], PHP_FUZZER_UNSERIALIZE_OBJS)
PHP_FUZZER_TARGET([unserializehash], PHP_FUZZER_UNSERIALIZEHASH_OBJS)
PHP_FUZZER_TARGET([json], PHP_FUZZER_JSON_OBJS)
if test -n "$enable_exif" && test "$enable_exif" != "no"; then
PHP_FUZZER_TARGET([exif], PHP_FUZZER_EXIF_OBJS)
fi
if test -n "$enable_mbstring" && test "$enable_mbstring" != "no"; then
PHP_FUZZER_TARGET([mbstring], PHP_FUZZER_MBSTRING_OBJS)
fi
PHP_SUBST(PHP_FUZZER_BINARIES)
fi
AC_MSG_RESULT($PHP_FUZZER)
|
