Initial FreeBSD x86 (32-bit) support with Frida instrumentation (#3372)

* fix(libafl): add cfg_attr for check in freebsd case

* feat(frida): add FreeBSD to cfg's conditions

* feat(bolts): add write_crash for freebsd x86

* fix(bolts): convert rss.ru_maxrss to i64 for freebsd x86

* feat(frida): initial commit for freebsd x86

* fix(frida): x86_64 register's size in asan

* fix(frida): set 1<<31 as default value for max_total_allocation, needed for 32bit

* feat(bolts): add parse_from method for cli

* fix(bolts): unaligned msg in freebsd x86

* fix(frida): use u32::MAX limit for ranges in x86 case

* chore(bolts): fix typo in minibsod crash message

* fix(frida): remove including of failed script.js and use without ext

Author: saruman9

crates/libafl/src/executors/forkserver.rs

@@ -254,7 +254,8 @@ impl ConfigTarget for Command {
         }
     }
 
-    #[expect(trivial_numeric_casts)]
+    // libc::rlim_t is i64 in freebsd and trivial_numeric_casts check will failed
+    #[cfg_attr(not(target_os = "freebsd"), expect(trivial_numeric_casts))]
     fn setlimit(&mut self, memlimit: u64) -> &mut Self {
         if memlimit == 0 {
             return self;

crates/libafl_bolts/src/cli.rs

@@ -225,12 +225,18 @@ pub struct FuzzerOptions {
 
     /// The maximum total allocation size that the `ASan` allocator should allocate
     #[cfg(feature = "frida_cli")]
-    #[arg(
+    #[cfg_attr(target_pointer_width = "64", arg(
         short = 'M',
         long,
         default_value = "4294967296",  // 1_usize << 32
         help_heading = "ASan Options"
-    )]
+    ))]
+    #[cfg_attr(target_pointer_width = "32", arg(
+        short = 'M',
+        long,
+        default_value =  "2147483648",  // 1_usize << 31
+        help_heading = "ASan Options"
+    ))]
     pub max_total_allocation: usize,
 
     /// Instruct `ASan` to panic if the max `ASan` allocation size is exceeded
@@ -382,6 +388,16 @@ pub fn parse_args() -> FuzzerOptions {
     FuzzerOptions::parse()
 }
 
+/// Needed for targets, which doesn't have `std::env::args_os()` (FreeBSD for example)
+#[must_use]
+pub fn parse_from<I, T>(itr: I) -> FuzzerOptions
+where
+    I: IntoIterator<Item = T>,
+    T: Into<std::ffi::OsString> + Clone,
+{
+    FuzzerOptions::parse_from(itr)
+}
+
 #[cfg(all(
     test,
     any(feature = "cli", feature = "qemu_cli", feature = "frida_cli")

crates/libafl_bolts/src/llmp.rs

@@ -2778,8 +2778,9 @@ where
                                 size_of::<LlmpClientExitInfo>()
                             )));
                         }
-                        let exitinfo = (*msg).buf.as_mut_ptr() as *mut LlmpClientExitInfo;
-                        let client_id = ClientId((*exitinfo).client_id);
+                        let exitinfo =
+                            ((*msg).buf.as_mut_ptr() as *mut LlmpClientExitInfo).read_unaligned();
+                        let client_id = ClientId(exitinfo.client_id);
                         log::info!(
                             "Client exit message received!, we are removing clients whose client_group_id is {client_id:#?}"
                         );
@@ -3191,9 +3192,9 @@ where
                 .alloc_next(size_of::<LlmpClientExitInfo>())
                 .expect("Could not allocate a new message in shared map.");
             (*msg).tag = LLMP_TAG_CLIENT_EXIT;
-            #[expect(clippy::cast_ptr_alignment)]
-            let exitinfo = (*msg).buf.as_mut_ptr() as *mut LlmpClientExitInfo;
-            (*exitinfo).client_id = client_id;
+            let mut exitinfo =
+                ((*msg).buf.as_mut_ptr() as *mut LlmpClientExitInfo).read_unaligned();
+            exitinfo.client_id = client_id;
             sender.send(msg, true)
         }
     }

crates/libafl_bolts/src/minibsod.rs

@@ -715,13 +715,28 @@ fn write_crash<W: Write>(
 ) -> Result<(), std::io::Error> {
     writeln!(
         writer,
-        "Received signal {} at{:016x}, fault address: 0x{:016x}",
+        "Received signal {} at {:016x}, fault address: 0x{:016x}",
         signal, ucontext.uc_mcontext.mc_rip, ucontext.uc_mcontext.mc_fs
     )?;
 
     Ok(())
 }
 
+#[cfg(all(target_os = "freebsd", target_arch = "x86"))]
+fn write_crash<W: Write>(
+    writer: &mut BufWriter<W>,
+    signal: Signal,
+    ucontext: &ucontext_t,
+) -> Result<(), std::io::Error> {
+    writeln!(
+        writer,
+        "Received signal {} at {:016x}",
+        signal, ucontext.uc_mcontext.mc_eip
+    )?;
+
+    Ok(())
+}
+
 #[cfg(all(target_os = "dragonfly", target_arch = "x86_64"))]
 fn write_crash<W: Write>(
     writer: &mut BufWriter<W>,
@@ -730,7 +745,7 @@ fn write_crash<W: Write>(
 ) -> Result<(), std::io::Error> {
     writeln!(
         writer,
-        "Received signal {} at{:016x}, fault address: 0x{:016x}",
+        "Received signal {} at {:016x}, fault address: 0x{:016x}",
         signal, ucontext.uc_mcontext.mc_rip, ucontext.uc_mcontext.mc_cs
     )?;
 
@@ -745,7 +760,7 @@ fn write_crash<W: Write>(
 ) -> Result<(), std::io::Error> {
     writeln!(
         writer,
-        "Received signal {} at{:016x}, fault address: 0x{:016x}",
+        "Received signal {} at {:016x}, fault address: 0x{:016x}",
         signal, ucontext.sc_rip, ucontext.sc_fs
     )?;
 
@@ -760,7 +775,7 @@ fn write_crash<W: Write>(
 ) -> Result<(), std::io::Error> {
     writeln!(
         writer,
-        "Received signal {} at{:016x}",
+        "Received signal {} at {:016x}",
         signal, ucontext.sc_elr
     )?;
 

crates/libafl_bolts/src/os/mod.rs

@@ -142,7 +142,10 @@ pub fn peak_rss_mb_child_processes() -> Result<i64, Error> {
             Ok(rusage.assume_init())
         }
     }?;
-    Ok(rss.ru_maxrss >> 10)
+    let result = rss.ru_maxrss >> 10;
+    #[cfg(all(target_os = "freebsd", target_arch = "x86"))]
+    let result = result.into();
+    Ok(result)
 }
 
 /// "Safe" wrapper around dup2

crates/libafl_frida/Cargo.toml

@@ -105,7 +105,7 @@ workspace = true
 [target.'cfg(target_arch = "aarch64")'.dependencies]
 yaxpeax-arm = "0.3.0"
 
-[target.'cfg(target_arch = "x86_64")'.dependencies]
+[target.'cfg(any(target_arch = "x86_64", target_arch = "x86"))'.dependencies]
 yaxpeax-x86 = "2.0.0"
 iced-x86 = { version = "1.21.0", features = ["code_asm"], optional = true }
 

crates/libafl_frida/src/allocator.rs

@@ -1,6 +1,7 @@
 #[cfg(any(
     windows,
     target_os = "linux",
+    target_os = "freebsd",
     target_vendor = "apple",
     all(
         any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -11,6 +12,7 @@ use alloc::collections::BTreeMap;
 #[cfg(any(
     windows,
     target_os = "linux",
+    target_os = "freebsd",
     target_vendor = "apple",
     all(
         any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -35,6 +37,7 @@ use mach_sys::{
 #[cfg(any(
     windows,
     target_os = "linux",
+    target_os = "freebsd",
     target_vendor = "apple",
     all(
         any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -115,6 +118,7 @@ impl Allocator {
     #[cfg(not(any(
         windows,
         target_os = "linux",
+        target_os = "freebsd",
         target_vendor = "apple",
         all(
             any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -130,6 +134,7 @@ impl Allocator {
     #[cfg(any(
         windows,
         target_os = "linux",
+        target_os = "freebsd",
         target_vendor = "apple",
         all(
             any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -710,8 +715,10 @@ impl Allocator {
 
         let mut occupied_ranges: Vec<(usize, usize)> = vec![];
         // max(userspace address) this is usually 0x8_0000_0000_0000 - 1 on x64 linux.
-        #[cfg(unix)]
+        #[cfg(all(unix, not(target_arch = "x86")))]
         let mut userspace_max: usize = 0;
+        #[cfg(all(unix, target_arch = "x86"))]
+        let userspace_max: usize = 0;
 
         // Enumerate memory ranges that are already occupied.
 
@@ -836,6 +843,7 @@ impl Default for Allocator {
     #[cfg(not(any(
         windows,
         target_os = "linux",
+        target_os = "freebsd",
         target_vendor = "apple",
         all(
             any(target_arch = "aarch64", target_arch = "x86_64"),
@@ -849,7 +857,8 @@ impl Default for Allocator {
     fn default() -> Self {
         let page_size = MmapOptions::page_size();
 
-        Self {
+        #[cfg(target_pointer_width = "64")]
+        return Self {
             max_allocation: 1 << 30,
             max_allocation_panics: false,
             max_total_allocation: 1 << 32,
@@ -867,7 +876,27 @@ impl Default for Allocator {
             total_allocation_size: 0,
             base_mapping_addr: 0,
             current_mapping_addr: 0,
-        }
+        };
+        #[cfg(target_pointer_width = "32")]
+        return Self {
+            max_allocation: 1 << 30,
+            max_allocation_panics: false,
+            max_total_allocation: 1 << 31,
+            allocation_backtraces: false,
+            page_size,
+            pre_allocated_shadow_mappings: Vec::new(),
+            using_pre_allocated_shadow_mapping: false,
+            mappings: BTreeMap::new(),
+            shadow_offset: 0,
+            shadow_bit: 0,
+            allocations: BTreeMap::new(),
+            shadow_pages: RangeSet::new(),
+            allocation_queue: BTreeMap::new(),
+            largest_allocation: 0,
+            total_allocation_size: 0,
+            base_mapping_addr: 0,
+            current_mapping_addr: 0,
+        };
     }
 }