diff --git a/sapi/fuzzer/fuzzer-execute-common.h b/sapi/fuzzer/fuzzer-execute-common.h index d0e80b8bb44..97e90fb7e8a 100644 --- a/sapi/fuzzer/fuzzer-execute-common.h +++ b/sapi/fuzzer/fuzzer-execute-common.h @@ -20,6 +20,7 @@ #include "fuzzer-sapi.h" #include "zend_exceptions.h" +#define FILE_NAME "/tmp/fuzzer.php" #define MAX_STEPS 1000 #define MAX_SIZE (8 * 1024) static uint32_t steps_left; @@ -102,12 +103,19 @@ static void fuzzer_init_php_for_execute(const char *extra_ini) { zend_compile_string = fuzzer_compile_string; } +ZEND_ATTRIBUTE_UNUSED static void create_file(void) { + /* For opcache_invalidate() to work, the dummy file name used for fuzzing needs to + * actually exist. */ + FILE *f = fopen(FILE_NAME, "w"); + fclose(f); +} + ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) { steps_left = MAX_STEPS; zend_exception_save(); zval retval, func, args[2]; ZVAL_STRING(&func, "opcache_invalidate"); - ZVAL_STRING(&args[0], "/fuzzer.php"); + ZVAL_STRING(&args[0], FILE_NAME); ZVAL_TRUE(&args[1]); call_user_function(CG(function_table), NULL, &func, &retval, 2, args); ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE); diff --git a/sapi/fuzzer/fuzzer-execute.c b/sapi/fuzzer/fuzzer-execute.c index 75bacf8e75f..aa456a175f5 100644 --- a/sapi/fuzzer/fuzzer-execute.c +++ b/sapi/fuzzer/fuzzer-execute.c @@ -25,7 +25,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { steps_left = MAX_STEPS; fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, /* before_shutdown */ NULL); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, /* before_shutdown */ NULL); return 0; } diff --git a/sapi/fuzzer/fuzzer-function-jit.c b/sapi/fuzzer/fuzzer-function-jit.c index 4bebc4ce927..0c4cd0f918f 100644 --- a/sapi/fuzzer/fuzzer-function-jit.c +++ b/sapi/fuzzer/fuzzer-function-jit.c @@ -32,14 +32,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { zend_alter_ini_entry_chars( jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, opcache_invalidate); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate); if (!bailed_out) { steps_left = MAX_STEPS; zend_alter_ini_entry_chars(jit_option, "function", sizeof("function")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, opcache_invalidate); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate); } zend_string_release(jit_option); @@ -59,6 +59,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) { "opcache.jit_buffer_size=256M", opcache_path); free(opcache_path); + + create_file(); fuzzer_init_php_for_execute(ini_buf); return 0; } diff --git a/sapi/fuzzer/fuzzer-tracing-jit.c b/sapi/fuzzer/fuzzer-tracing-jit.c index f4387dc1f9b..585bf55304a 100644 --- a/sapi/fuzzer/fuzzer-tracing-jit.c +++ b/sapi/fuzzer/fuzzer-tracing-jit.c @@ -32,7 +32,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { zend_alter_ini_entry_chars( jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, opcache_invalidate); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate); if (!bailed_out) { steps_left = MAX_STEPS; @@ -41,10 +41,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { zend_execute_ex = orig_execute_ex; /* Trace & compile */ fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, NULL); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, NULL); /* Execute trace */ fuzzer_do_request_from_buffer( - "/fuzzer.php", (const char *) Data, Size, /* execute */ 1, opcache_invalidate); + FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate); zend_execute_ex = fuzzer_execute_ex; } @@ -70,6 +70,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) { "opcache.jit_max_root_traces=32768", opcache_path); free(opcache_path); + + create_file(); fuzzer_init_php_for_execute(ini_buf); return 0; }