You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 29, 2021. It is now read-only.
Inside the function gen_intermediate_code_internal_a64 the produced translation blocks should be guarded with calls to gen_tb_start / gen_tb_end. For the normal Unicorn addr_end path this done correctly, but in case of the Unicorn AFL specific exits array the call to gen_tb_start is missing.
This issue results in an out of bounds access on the labels structure deeper in the call tree to gen_set_label. In my case it most often presented itself as a fatal TCG error due to an incorrect relocation type, but likely it can surface itself also in other ways. Also, this code has very minimal bounds checking, so it continued for quite a while before it becomes obvious something is wrong.
The text was updated successfully, but these errors were encountered:
Inside the function gen_intermediate_code_internal_a64 the produced translation blocks should be guarded with calls to gen_tb_start / gen_tb_end. For the normal Unicorn addr_end path this done correctly, but in case of the Unicorn AFL specific exits array the call to gen_tb_start is missing.
https://github.com/AFLplusplus/unicornafl/blob/fb2fc9f25df32f17f6b6b859e4dbd70f9a857e0c/qemu/target-arm/translate-a64.c#L11095
This issue results in an out of bounds access on the labels structure deeper in the call tree to gen_set_label. In my case it most often presented itself as a fatal TCG error due to an incorrect relocation type, but likely it can surface itself also in other ways. Also, this code has very minimal bounds checking, so it continued for quite a while before it becomes obvious something is wrong.
The text was updated successfully, but these errors were encountered: