Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault in tb_target_set_jmp_target_arm #2048

Open
futhewo opened this issue Oct 31, 2024 · 9 comments
Open

Segfault in tb_target_set_jmp_target_arm #2048

futhewo opened this issue Oct 31, 2024 · 9 comments

Comments

@futhewo
Copy link

futhewo commented Oct 31, 2024

In a very long emulation, I have a segfault (dereferencing null pointer) in qemu/tcg/aarch64/tcg-target.inc.c:tb_target_set_jmp_target.

In qemu/accel/tcg/cpu-exec.c, the function tb_set_jmp_target calls the previous function tb_target_set_jmp_target with parameters tc_ptr = 0 and tc_ptr + offset = 0.

Then tb_target_set_jmp_target calls atomic_set((uint64_t*)jmp_addr_, pair) with jmp_addr = tc_ptr + offset = 0, which segfaults.

I patched it (dirty) by adding the following code in tb_set_jmp_target:
if (TCG_TARGET_HAS_direct_jump && tb->tc.ptr) {
[…]
}

I do not know what this patch may break, but it solves the crash.
I am on commit 6ae0c97.

Feel free to ask me anything.

@wtdcode
Copy link
Member

wtdcode commented Oct 31, 2024

Thanks for the report and investigation. Your version seems pretty old, how about current dev branch?

@1144822034
Copy link

I have also encountered the same problem, and this issue has been very helpful to me

@futhewo
Copy link
Author

futhewo commented Nov 11, 2024

Unfortunately, I cannot try on a newer unicorn version, sorry.
I am using unicorn as part of unicornafl++ and it uses the version I pointed out.

@wtdcode
Copy link
Member

wtdcode commented Nov 11, 2024

unicornafl++

What is that? Are you mentioning unicornafl?

@futhewo
Copy link
Author

futhewo commented Nov 11, 2024

Yes, the one that is part of afl++, that you may find here:
https://github.com/AFLplusplus/unicornafl

@wtdcode
Copy link
Member

wtdcode commented Nov 11, 2024

Yes, the one that is part of afl++, that you may find here: https://github.com/AFLplusplus/unicornafl

Okay, unicornafl will bump to 2.1.2 once I fixed it.

@futhewo
Copy link
Author

futhewo commented Nov 11, 2024

That would be great! Thanks.

@sadeli413
Copy link

Tagging #1923 for visibility.
My temporary workaround is to destroy and reconstruct the emulator once every few million times.

@wtdcode
Copy link
Member

wtdcode commented Jan 4, 2025

I assume 2c688ba shall solve this. Could you have a try @futhewo ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants