PHP on OSS-fuzz

  104779
March 17, 2019 21:23 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.

Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
here:
https://github.com/google/oss-fuzz/tree/master/projects/php
and implementation of fuzzers is here:
https://github.com/php/php-fuzzing-sapi

So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.

That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.
-- 
Stas Malyshev
smalyshev@gmail.com
  104853
March 21, 2019 13:49 Michael Wallner <mike@php.net>
--AACBZ3mq9TtzbaYgyDE9x6WUPPY6bUlTJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

Hey!

On 17/03/2019 22:23, Stanislav Malyshev wrote:
> Hi! >=20 > Looking at the recent PHP security issues, it is clear that many of the= m
> are stemming from corner cases in various format-parsing code, and most=
> of them either is or can be found by fuzzers. >=20 > Thus, I've made an initial integration for PHP on OSS-fuzz project - a > fuzzing engine for testing open source projects. PHP configuration sits=
I followed the progress on github. Thanks for doing the work up front.
> and implementation of fuzzers is here: > https://github.com/php/php-fuzzing-sapi >=20 > So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan > also to add basic phar fuzzer soon. Everybody is welcome to add more > fuzzers - with priority on ones that actually deal with third-party > data, e.g. language parser fuzzer is not enabled right now, because > people usually do not run random byte streams as PHP scripts on their > servers. On the other hand, people do apply EXIF or gd functions to > third-party data, so a vulnerability in that code would be high priorit= y.
>=20 > That said, fuzzers can be run independently of OSS-Fuzz, so if you feel=
> inspired to add a fuzzer for any code please do so. >=20
I hope I'll find time to try it out soon, thanks again! --=20 Regards, Mike --AACBZ3mq9TtzbaYgyDE9x6WUPPY6bUlTJ--
  106004
June 20, 2019 15:54 nikita.ppv@gmail.com (Nikita Popov)
On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi! > > Looking at the recent PHP security issues, it is clear that many of them > are stemming from corner cases in various format-parsing code, and most > of them either is or can be found by fuzzers. > > Thus, I've made an initial integration for PHP on OSS-fuzz project - a > fuzzing engine for testing open source projects. PHP configuration sits > here: > https://github.com/google/oss-fuzz/tree/master/projects/php > and implementation of fuzzers is here: > https://github.com/php/php-fuzzing-sapi > > So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan > also to add basic phar fuzzer soon. Everybody is welcome to add more > fuzzers - with priority on ones that actually deal with third-party > data, e.g. language parser fuzzer is not enabled right now, because > people usually do not run random byte streams as PHP scripts on their > servers. On the other hand, people do apply EXIF or gd functions to > third-party data, so a vulnerability in that code would be high priority. > > That said, fuzzers can be run independently of OSS-Fuzz, so if you feel > inspired to add a fuzzer for any code please do so. >
Where are issues detected by oss-fuzz reported? Nikita
  106005
June 20, 2019 16:43 cmbecker69@gmx.de ("Christoph M. Becker")
On 20.06.2019 at 17:54, Nikita Popov wrote:
> On Sun, Mar 17, 2019 at 10:23 PM Stanislav Malyshev <smalyshev@gmail.com> > wrote: > >> Hi! >> >> Looking at the recent PHP security issues, it is clear that many of them >> are stemming from corner cases in various format-parsing code, and most >> of them either is or can be found by fuzzers. >> >> Thus, I've made an initial integration for PHP on OSS-fuzz project - a >> fuzzing engine for testing open source projects. PHP configuration sits >> here: >> https://github.com/google/oss-fuzz/tree/master/projects/php >> and implementation of fuzzers is here: >> https://github.com/php/php-fuzzing-sapi >> >> So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan >> also to add basic phar fuzzer soon. Everybody is welcome to add more >> fuzzers - with priority on ones that actually deal with third-party >> data, e.g. language parser fuzzer is not enabled right now, because >> people usually do not run random byte streams as PHP scripts on their >> servers. On the other hand, people do apply EXIF or gd functions to >> third-party data, so a vulnerability in that code would be high priority. >> >> That said, fuzzers can be run independently of OSS-Fuzz, so if you feel >> inspired to add a fuzzer for any code please do so. > > Where are issues detected by oss-fuzz reported?
Everyone who is listed under primary_contact or auto_ccs[1] should be able to see the reports on <https://oss-fuzz.com/> and gets e-mails for first time issues (works for me for libgd). [1] <https://github.com/google/oss-fuzz/blob/master/projects/php/project.yaml> Thanks, Christoph
  106007
June 20, 2019 18:09 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> Where are issues detected by oss-fuzz reported?
Right now on https://oss-fuzz.com/testcases and I copy it to bugs.php.net. It should also send the email when one comes up, but I am not sure whether it goes to security@ too. Also the issues are on https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-php (you can only see the fixed or resolved ones without the login). -- Stas Malyshev smalyshev@gmail.com