Avoid null ptr deref when writing to arm context pc register

2025-02-10 15:58:28 +08:00
parent 48fb28dfbc
commit a903fa182b
2 changed files with 9 additions and 2 deletions
--- a/qemu/target/arm/unicorn_arm.c
+++ b/qemu/target/arm/unicorn_arm.c
@@ -433,7 +433,10 @@ uc_err reg_write(void *_env, int mode, unsigned int regid, const void *value,
            CHECK_REG_TYPE(uint32_t);
            env->pc = (*(uint32_t *)value & ~1);
            env->thumb = (*(uint32_t *)value & 1);
-            env->uc->thumb = (*(uint32_t *)value & 1);
+            if (env->uc) {
+                // This can be NULL if env is a context
+                env->uc->thumb = (*(uint32_t *)value & 1);
+            }
            env->regs[15] = (*(uint32_t *)value & ~1);
            *setpc = 1;
            break;
@@ -754,7 +757,8 @@ static uc_err uc_arm_context_restore(struct uc_struct *uc, uc_context *context)
    ARM_ENV_RESTORE(env->sau.rlar)

 #undef ARM_ENV_RESTORE
-
+    // Overwrite uc to our uc
+    env->uc = uc;
    return UC_ERR_OK;
 }

--- a/tests/unit/test_arm.c
+++ b/tests/unit/test_arm.c
@@ -757,12 +757,15 @@ static void test_arm_context_save(void)
    uc_engine *uc2;
    char code[] = "\x83\xb0"; // sub    sp, #0xc
    uc_context *ctx;
+    uint32_t pc;

    uc_common_setup(&uc, UC_ARCH_ARM, UC_MODE_THUMB, code, sizeof(code) - 1,
                    UC_CPU_ARM_CORTEX_R5);

    OK(uc_context_alloc(uc, &ctx));
    OK(uc_context_save(uc, ctx));
+    OK(uc_context_reg_read(ctx, UC_ARM_REG_PC, (void*)&pc));
+    OK(uc_context_reg_write(ctx, UC_ARM_REG_PC, (void*)&pc));
    OK(uc_context_restore(uc, ctx));

    uc_common_setup(&uc2, UC_ARCH_ARM, UC_MODE_THUMB, code, sizeof(code) - 1,