PHP on OSS-fuzz

Hi!

Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.

Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
here:
https://github.com/google/oss-fuzz/tree/master/projects/php
and implementation of fuzzers is here:
https://github.com/php/php-fuzzing-sapi

So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.

That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.

Stas Malyshev
smalyshev@gmail.com

Hey!

Hi!

Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.

Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
here:
https://github.com/google/oss-fuzz/tree/master/projects/php

I followed the progress on github. Thanks for doing the work up front.

and implementation of fuzzers is here:
https://github.com/php/php-fuzzing-sapi

So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.

That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.

I hope I'll find time to try it out soon, thanks again!

--
Regards,
Mike

On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev smalyshev@gmail.com
wrote:

Hi!

Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.

Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
here:
https://github.com/google/oss-fuzz/tree/master/projects/php
and implementation of fuzzers is here:
https://github.com/php/php-fuzzing-sapi

So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.

That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.

Where are issues detected by oss-fuzz reported?

Nikita

On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev smalyshev@gmail.com
wrote:

Hi!

Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.

Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
here:
https://github.com/google/oss-fuzz/tree/master/projects/php
and implementation of fuzzers is here:
https://github.com/php/php-fuzzing-sapi

So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.

That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.

Where are issues detected by oss-fuzz reported?

Everyone who is listed under primary_contact or auto_ccs[1] should be
able to see the reports on https://oss-fuzz.com/ and gets e-mails for
first time issues (works for me for libgd).

[1]
https://github.com/google/oss-fuzz/blob/master/projects/php/project.yaml

Thanks,
Christoph

Hi!

Where are issues detected by oss-fuzz reported?

Right now on https://oss-fuzz.com/testcases and I copy it to
bugs.php.net. It should also send the email when one comes up, but I am
not sure whether it goes to security@ too. Also the issues are on
https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-php (you
can only see the fixed or resolved ones without the login).

--
Stas Malyshev
smalyshev@gmail.com