1

I am trying to fuzz a particular piece of code using LLVM libFuzzer that only exposes its main() function externally. I have access to the source of the target code, but cannot change it.

If I try to directly include the object file, it conflicts with the main definition provided by -fsanitize=fuzzer. I thought I might be able to solve this by renaming the main symbol in the object file:

objcopy --redefine-sym main=stub_main main.stub main.o

Then in my harness code, I should just declare:

extern int stub_main(int argc, char **argv)

And call stub_main() instead of main(), while including main.stub on the link line. However, this did not seem to work, and the linker cannot find the reference to stub_main(int, char**).

How can I call this main function from another piece of code that also provides its own main()?

matoro
  • 181
  • 1
  • 13
  • 1
    Is your harness C++, by chance? Then you forgot to declare the stub as `extern "C"` – Botje Nov 13 '20 at 16:48
  • @Botje - that was it, thank you! I am not sure why that is needed, since the target code is also C++, but it worked! If you post this as an answer I will accept it. – matoro Nov 13 '20 at 16:59

1 Answers1

2

You are not accounting for C++'s name mangling. The symbol for stub_main is likely a string containing main as well as some obfuscated info about arguments, type of function, and return type. In my platform it's __Z9stub_mainiPPc. The symbol for main would likely just be main or main_.

You can try looking how main and stub_main definitions mangle in your platform with objdump -d *.o, and then you can replace these strings with objcopy --redefine-sym.

Alternatively, as matoro said, you can declare the function as extern "C" so that no name mangling takes place.

Kostas
  • 4,061
  • 1
  • 14
  • 32