Skip to content
This repository has been archived by the owner on Nov 29, 2021. It is now read-only.

ARM64: Exit address cannot be start of basic block due to missing call to gen_tb_start #14

Open
MartijnB opened this issue Mar 3, 2021 · 2 comments

Comments

@MartijnB
Copy link

MartijnB commented Mar 3, 2021

Inside the function gen_intermediate_code_internal_a64 the produced translation blocks should be guarded with calls to gen_tb_start / gen_tb_end. For the normal Unicorn addr_end path this done correctly, but in case of the Unicorn AFL specific exits array the call to gen_tb_start is missing.

https://github.com/AFLplusplus/unicornafl/blob/fb2fc9f25df32f17f6b6b859e4dbd70f9a857e0c/qemu/target-arm/translate-a64.c#L11095

This issue results in an out of bounds access on the labels structure deeper in the call tree to gen_set_label. In my case it most often presented itself as a fatal TCG error due to an incorrect relocation type, but likely it can surface itself also in other ways. Also, this code has very minimal bounds checking, so it continued for quite a while before it becomes obvious something is wrong.

@domenukk
Copy link
Member

domenukk commented May 6, 2021

Thank you! Should be fixed with 3a8957f

@domenukk
Copy link
Member

domenukk commented May 6, 2021

For the record, all other architectures already did this correctly.

dmitryya pushed a commit to dmitryya/unicornafl that referenced this issue May 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants