unicorn icon indicating copy to clipboard operation
unicorn copied to clipboard
verified publisher icon unicorn-engine

Segfault in uc_ctl_request_cache with `UC_ARCH_MIPS`

Open hgarrereyn opened this issue 5 months ago • 2 comments

Hi, using uc_ctl_request_cache with UC_ARCH_MIPS results in a segfault.

Interestingly this seems to only happen on MIPS (both 32 and 64 bit).

Tested on the most recent commit c24c9ebe.

(found via automated fuzzing).

The following testcase reproduces the crash:

testcase.cpp

#include <cstdint>
extern "C" {
#include "/fuzz/install/include/unicorn/unicorn.h"
#include "/fuzz/install/include/unicorn/mips.h"
}
int main() {
  uc_engine *uc = nullptr;
  if (uc_open(UC_ARCH_MIPS, UC_MODE_MIPS32, &uc) != UC_ERR_OK) return 0;
  uint64_t base = 0x1000;
  uc_mem_map(uc, base, 0x1000, UC_PROT_READ | UC_PROT_EXEC | UC_PROT_WRITE);
  unsigned char code[16]; for (int i=0;i<16;i++) code[i]=0x90;
  uc_mem_write(uc, base, code, sizeof(code));
  uc_tb tb{};
  uc_ctl_request_cache(uc, base, &tb);
  return 0;
}

ASAN crash

==12==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d18bf4af76 bp 0x000000000006 sp 0x7ffccff5a800 T0)
==12==The signal is caused by a WRITE memory access.
==12==Hint: address points to the zero page.
    #0 0x55d18bf4af76 in tcg_emit_op_mipsel /fuzz/src/qemu/tcg/tcg.c:2132:5
    #1 0x55d18bf77977 in tcg_gen_op2_mipsel /fuzz/src/qemu/tcg/tcg-op.c:51:17
    #2 0x55d18bf49400 in tcg_gen_op2i_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:134:5
    #3 0x55d18bf49400 in tcg_gen_movi_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:416:5
    #4 0x55d18bf49400 in tcg_const_i32_mipsel /fuzz/src/qemu/tcg/tcg.c:1104:5
    #5 0x55d18c0efa64 in mips_tr_translate_insn /fuzz/src/qemu/target/mips/translate.c:30951:19
    #6 0x55d18df8db6f in translator_loop_mipsel /fuzz/src/qemu/accel/tcg/translator.c:125:9
    #7 0x55d18c0e920c in gen_intermediate_code_mipsel /fuzz/src/qemu/target/mips/translate.c:31107:5
    #8 0x55d18c00cdf6 in tb_gen_code_mipsel /fuzz/src/qemu/accel/tcg/translate-all.c:1759:5
    #9 0x55d18c00aadd in uc_gen_tb /fuzz/src/qemu/accel/tcg/translate-all.c:1187:18
    #10 0x55d18aedec5f in uc_ctl /fuzz/src/uc.c:2879:19
    #11 0x55d18aeca7a1 in main /fuzz/workspace/test.cpp:14:3
    #12 0x7fbbcccdcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7fbbcccdce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x55d18adef4c4 in _start (/fuzz/workspace/test+0x3894c4) (BuildId: db8496ce3bcb6dcc5fb8612e93dc0970e88d7fff)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzz/src/qemu/tcg/tcg.c:2132:5 in tcg_emit_op_mipsel

hgarrereyn avatar Sep 26 '25 03:09 hgarrereyn

Probably #2134

Would you mind trying https://github.com/unicorn-engine/unicorn/commit/0bb1bbd93c9e821154845ba81b81e8a05c49c3b7 ?

wtdcode avatar Sep 26 '25 03:09 wtdcode

seems like it hits the same crash

==12==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b3aff789f6 bp 0x000000000006 sp 0x7fff1854dc20 T0)
==12==The signal is caused by a WRITE memory access.
==12==Hint: address points to the zero page.
    #0 0x55b3aff789f6 in tcg_emit_op_mipsel /fuzz/src/qemu/tcg/tcg.c:2132:5
    #1 0x55b3affa56b7 in tcg_gen_op2_mipsel /fuzz/src/qemu/tcg/tcg-op.c:51:17
    #2 0x55b3aff76e80 in tcg_gen_op2i_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:134:5
    #3 0x55b3aff76e80 in tcg_gen_movi_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:416:5
    #4 0x55b3aff76e80 in tcg_const_i32_mipsel /fuzz/src/qemu/tcg/tcg.c:1104:5
    #5 0x55b3b011b894 in mips_tr_translate_insn /fuzz/src/qemu/target/mips/translate.c:30951:19
    #6 0x55b3b1f25b9c in translator_loop_mipsel /fuzz/src/qemu/accel/tcg/translator.c:125:9
    #7 0x55b3b011503c in gen_intermediate_code_mipsel /fuzz/src/qemu/target/mips/translate.c:31107:5
    #8 0x55b3b0038c26 in tb_gen_code_mipsel /fuzz/src/qemu/accel/tcg/translate-all.c:1759:5
    #9 0x55b3b003690d in uc_gen_tb /fuzz/src/qemu/accel/tcg/translate-all.c:1187:18
    #10 0x55b3aeedaaff in uc_ctl /fuzz/src/uc.c:2754:19
    #11 0x55b3aeec77a1 in main /fuzz/workspace/test.cpp:14:3
    #12 0x7f369db53d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f369db53e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x55b3aedec4c4 in _start (/fuzz/workspace/test+0x3884c4) (BuildId: 11f0dd09f2a99296d415ba4fe6d630ed8191abbc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzz/src/qemu/tcg/tcg.c:2132:5 in tcg_emit_op_mipsel

hgarrereyn avatar Sep 26 '25 04:09 hgarrereyn