Fix UAF when deleting hook while in hook callback #1127 (#1130)

* Handle the cpu context save in a more pythonic way, so the context can be serialized and reuse in an other process using the same emulator architecture and modes * Fix type error ; mistakes a size_t uint64_t ; breaks in 32bit... * Fix the UAF situation when deleting a hook while being in a hook callback. Added an attribute 'to_delete' to hooks, and a list hooks_to_del to delay the free of the hooks * Minor fixes ; forgot return type of clear_deleted_hooks ; do not declare variable in for predicate
2020-05-07 08:24:48 +02:00
parent f435efd4a7
commit 881e08da01
8 changed files with 122 additions and 11 deletions
--- a/qemu/cpu-exec.c
+++ b/qemu/cpu-exec.c
@@ -135,6 +135,8 @@ int cpu_exec(struct uc_struct *uc, CPUArchState *env)   // qq
                        // Unicorn: call registered invalid instruction callbacks
                        HOOK_FOREACH_VAR_DECLARE;
                        HOOK_FOREACH(uc, hook, UC_HOOK_INSN_INVALID) {
+                            if (hook->to_delete)
+                                continue;
                            catched = ((uc_cb_hookinsn_invalid_t)hook->callback)(uc, hook->user_data);
                            if (catched)
                                break;
@@ -145,6 +147,8 @@ int cpu_exec(struct uc_struct *uc, CPUArchState *env)   // qq
                        // Unicorn: call registered interrupt callbacks
                        HOOK_FOREACH_VAR_DECLARE;
                        HOOK_FOREACH(uc, hook, UC_HOOK_INTR) {
+                            if (hook->to_delete)
+                                continue;
                            ((uc_cb_hookintr_t)hook->callback)(uc, cpu->exception_index, hook->user_data);
                            catched = true;
                        }