add PHP CVE-2019-11038

data_augmentation/methods/ConcFuzz/crash_tags.yaml

@@ -5,3 +5,4 @@ libjpeg_cve-2017-15232: asan;0;oracle_source/jquant1.c:536
 libxml2_cve-2017-5969: asan;0;oracle_source/valid.c:1181
 readelf_cve-2019-9077: asan;0;binutils/readelf.c:16204
 mruby_hackerone-reports-185041: asan;4;error.c:290
+php_cve-2019-11038: asan;2;gd.c:2463

feature_extraction/methods/AuroraFE/src/rca.sh

@@ -1,6 +1,12 @@
 #!/bin/bash
 set -eu
 
+RCA_LOAD_OFFSET=""
+if [[ -v LOAD_OFFSET ]];
+then
+	RCA_LOAD_OFFSET="--load-offset ${LOAD_OFFSET}"
+fi
+
 cd ${FE_ROOT}/aurora/root_cause_analysis
-cargo run --release --bin rca -- --eval-dir ${WORKDIR} --trace-dir ${WORKDIR} --monitor --rank-predicates
-cargo run --release --bin addr2line -- --eval-dir ${WORKDIR}
+cargo run --release --bin rca -- ${RCA_LOAD_OFFSET} --eval-dir ${WORKDIR} --trace-dir ${WORKDIR} --monitor --rank-predicates 
+cargo run --release --bin addr2line -- ${RCA_LOAD_OFFSET} --eval-dir ${WORKDIR} 

targets/php_cve-2019-11038/README.md

@@ -0,0 +1,22 @@
+# CVE-2019-11038
+
+## references
+https://github.com/libgd/libgd/issues/501
+
+https://nvd.nist.gov/vuln/detail/CVE-2019-11038
+## description
+
+This bug is not in PHP source but in libgd source that is used as part of PHP.
+
+In gdImageCreateFromXbm(), a return value of sscanf is not checked and can be read an uninitialized value.
+
+## patch
+https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3
+
+## fixed file
+
+https://github.com/libgd/libgd/pull/503/files#diff-3e81469de02c28988a3c8b67060a48e741493db4412152dd141871eabe57aa61
+
+## Source of PoC
+
+https://bugs.php.net/bug.php?id=77973

targets/php_cve-2019-11038/build.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -eu
+
+. ${TARGET_ROOT}/config.sh
+
+if [ $# -lt 1 ]; then
+  echo "Usage: $0 <build dir name>" 1>&2
+  exit 1
+fi
+
+cd $TARGET_ROOT
+
+wget https://www.php.net/distributions/php-7.3.5.tar.gz
+tar xf php-7.3.5.tar.gz 
+mv php-7.3.5 $1
+cd $1
+
+patch ./Zend/zend_portability.h ${TARGET_ROOT}/zend_portability.h.patch
+
+TARGET_DEF_CFLAGS="${TARGET_DEF_CFLAGS-} -no-pie -fno-pie"
+TARGET_DEF_CXXFLAGS="${TARGET_DEF_CXXFLAGS-} -no-pie -fno-pie"
+TARGET_DEF_LDFLAGS="${TARGET_DEF_CXXFLAGS-} -no-pie -fno-pie"
+ARGS=""
+for var in "${!TARGET_DEF_@}"; do
+	tmp=${!var//\-fsanitize\=address/\-fsanitize\=memory}
+	tmp=${tmp//gcc/clang}
+	tmp=${tmp//g++/clang++}
+	ARGS="${ARGS} ${var#TARGET_DEF_}=\"$(echo ${tmp})\""
+done
+
+eval ./configure CC=clang CXX=clang++ ${ARGS} --prefix=/dir_name/install --with-gd --enable-cli --without-pear
+eval make ${ARGS} -j$(nproc)
+
+#export ZEND_DONT_UNLOAD_MODULES=1
+#export USE_ZEND_ALLOC=0
+#UBSAN_OPTIONS="print_stacktrace=1" ./sapi/cli/php ../xbm.php

targets/php_cve-2019-11038/config.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eux
+
+export RELPATH=sapi/cli/php
+export ARGS="$TARGET_ROOT/poc.php @@"
+export LOAD_OFFSET=0x0000000000000000

targets/php_cve-2019-11038/poc.php

@@ -0,0 +1,3 @@
+<?php
+$xbm = imagecreatefromxbm($argv[1]);
+?>

targets/php_cve-2019-11038/preinstall.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential libxml2-dev libpng-dev wget patch clang llvm

targets/php_cve-2019-11038/root_causes/locations

@@ -0,0 +1,3 @@
+gd_xbm.c:139
+gd_xbm.c:140
+gd_xbm.c:141

targets/php_cve-2019-11038/seeds/default

@@ -0,0 +1,4 @@
+#define width 2
+#define height 2
+static char bits[] ={
+zzxzz

targets/php_cve-2019-11038/zend_portability.h.patch

@@ -0,0 +1,15 @@
+--- php-7.3.5/Zend/zend_portability.h	2019-04-30 17:37:26.000000000 +0900
++++ php-7.3.5-mod/Zend/zend_portability.h	2023-07-07 19:43:23.525984714 +0900
+@@ -512,6 +512,12 @@
+ #define ZEND_VALID_SOCKET(sock) ((sock) >= 0)
+ #endif
+
++#if __has_feature(memory_sanitizer) || __has_feature(thread_sanitizer) || \
++	__has_feature(dataflow_sanitizer)
++# undef HAVE_FUNC_ATTRIBUTE_IFUNC
++#endif
++
++
+ /* va_copy() is __va_copy() in old gcc versions.
+  * According to the autoconf manual, using
+  * memcpy(&dst, &src, sizeof(va_list))