Skip to content

v0 mangling fix for libafl_libfuzzer #3559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
domenukk merged 4 commits into from
Nov 29, 2025
Merged

v0 mangling fix for libafl_libfuzzer #3559

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6431d06
begin v0 fix attempt
addisoncrump Nov 28, 2025
25c2a98
v0 mangling fixed
addisoncrump Nov 28, 2025
884ccd6
refactor: split out renaming
addisoncrump Nov 28, 2025
3de999f
clippy nit
addisoncrump Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 45 additions & 27 deletions crates/libafl_libfuzzer/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,34 @@ fn main() -> Result<(), Box<dyn Error>> {
"Couldn't build runtime crate! Did you remember to use nightly? (`rustup default nightly` to install)"
);

let redefined_archive_path = rename_symbols(&custom_lib_target);

if cfg!(feature = "embed-runtime") {
// NOTE: lib, .a are added always on unix-like systems as described in:
// https://gist.github.com/novafacing/1389cbb2f0a362d7eb103e67b4468e2b
println!(
"cargo:rustc-env=LIBAFL_LIBFUZZER_RUNTIME_PATH={}",
redefined_archive_path.display()
);
}

println!(
"cargo:rustc-link-search=native={}",
custom_lib_target.to_str().unwrap()
);
println!("cargo:rustc-link-lib=static=Fuzzer");

if cfg!(target_os = "macos") {
println!("cargo:rustc-link-lib=c++");
} else {
println!("cargo:rustc-link-lib=stdc++");
}
Ok(())
}

/// This function creates a copy of the libfuzzer runtime with all the symbols renamed to avoid
/// a conflict with whatever we link to. It should be compatible with legacy and v0 mangling.
fn rename_symbols(custom_lib_target: &Path) -> PathBuf {
let mut archive_path = custom_lib_target.join(std::env::var_os("TARGET").unwrap());
archive_path.push("release");

Expand Down Expand Up @@ -174,6 +202,12 @@ fn main() -> Result<(), Box<dyn Error>> {
} else {
"_RN"
};
let r_prefix = if cfg!(target_os = "macos") {
// macOS symbols have an extra `_`
"__R"
} else {
"_R"
};

let zn_prefix = if cfg!(target_os = "macos") {
// macOS symbols have an extra `_`
Expand All @@ -185,7 +219,6 @@ fn main() -> Result<(), Box<dyn Error>> {
let replacement = format!("{zn_prefix}{NAMESPACE_LEN}{NAMESPACE}");

// redefine all the rust-mangled symbols we can
// TODO this will break when v0 mangling is stabilised
for line in BufReader::new(nm_child.stdout.take().unwrap()).lines() {
let line = line.unwrap();

Expand All @@ -196,16 +229,23 @@ fn main() -> Result<(), Box<dyn Error>> {
let (_, symbol) = line.rsplit_once(' ').unwrap();

if symbol.starts_with(rn_prefix) {
let (_prefix, renamed) = symbol.split_once("__rustc").unwrap();
let (size, renamed) = renamed.split_once('_').unwrap();
writeln!(redefinitions_file, "{symbol} {replacement}{size}{renamed}E").unwrap();
if let Some((_prefix, renamed)) = symbol.split_once("__rustc") {
let (size, renamed) = renamed.split_once('_').unwrap();
writeln!(redefinitions_file, "{symbol} {replacement}{size}{renamed}E").unwrap();
} else {
// v0 mangling: this uses the vendor-specific suffix model
writeln!(redefinitions_file, "{symbol} {symbol}${NAMESPACE}").unwrap();
}
} else if symbol.starts_with(zn_prefix) {
writeln!(
redefinitions_file,
"{symbol} {}",
symbol.replacen(zn_prefix, &replacement, 1)
)
.unwrap();
} else if symbol.starts_with(r_prefix) {
// v0 mangling (not in namespace): this uses the vendor-specific suffix model
writeln!(redefinitions_file, "{symbol} {symbol}${NAMESPACE}").unwrap();
}
}
redefinitions_file.flush().unwrap();
Expand Down Expand Up @@ -258,27 +298,5 @@ fn main() -> Result<(), Box<dyn Error>> {
objcopy_command.status().is_ok_and(|s| s.success()),
"Couldn't rename allocators in the runtime crate! Do you have the llvm-tools component installed? (`rustup component add llvm-tools-preview` to install)"
);

#[cfg(feature = "embed-runtime")]
{
// NOTE: lib, .a are added always on unix-like systems as described in:
// https://gist.github.com/novafacing/1389cbb2f0a362d7eb103e67b4468e2b
println!(
"cargo:rustc-env=LIBAFL_LIBFUZZER_RUNTIME_PATH={}",
redefined_archive_path.display()
);
}

println!(
"cargo:rustc-link-search=native={}",
custom_lib_target.to_str().unwrap()
);
println!("cargo:rustc-link-lib=static=Fuzzer");

if cfg!(target_os = "macos") {
println!("cargo:rustc-link-lib=c++");
} else {
println!("cargo:rustc-link-lib=stdc++");
}
Ok(())
redefined_archive_path
}
Loading