-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in tb_target_set_jmp_target_arm #2048
Comments
Thanks for the report and investigation. Your version seems pretty old, how about current dev branch? |
I have also encountered the same problem, and this issue has been very helpful to me |
Unfortunately, I cannot try on a newer unicorn version, sorry. |
What is that? Are you mentioning unicornafl? |
Yes, the one that is part of afl++, that you may find here: |
Okay, unicornafl will bump to 2.1.2 once I fixed it. |
That would be great! Thanks. |
In a very long emulation, I have a segfault (dereferencing null pointer) in qemu/tcg/aarch64/tcg-target.inc.c:tb_target_set_jmp_target.
In qemu/accel/tcg/cpu-exec.c, the function tb_set_jmp_target calls the previous function tb_target_set_jmp_target with parameters tc_ptr = 0 and tc_ptr + offset = 0.
Then tb_target_set_jmp_target calls atomic_set((uint64_t*)jmp_addr_, pair) with jmp_addr = tc_ptr + offset = 0, which segfaults.
I patched it (dirty) by adding the following code in tb_set_jmp_target:
if (TCG_TARGET_HAS_direct_jump && tb->tc.ptr) {
[…]
}
I do not know what this patch may break, but it solves the crash.
I am on commit 6ae0c97.
Feel free to ask me anything.
The text was updated successfully, but these errors were encountered: