Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Avoid memory corruption in arm context save/restore code #2276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
droe wants to merge 2 commits into
base: dev
Choose a base branch
Loading
from
Open

Avoid memory corruption in arm context save/restore code #2276

droe wants to merge 2 commits into from

Conversation

@droe
Copy link
Contributor

@droe droe commented Dec 20, 2025

Addresses multiple issues in the arm context save/restore code:

  • When restoring from context, do not clobber pointers in CPUARMState with data from the context buffer. This causes use-after-free bugs usually manifesting as double-free crashes.
  • When saving to context, do not copy pointers from CPUARMState to the context buffer, to avoid leaking pointers to the context. Instead, zero the respective area of the context buffer, to ensure that reg_read and reg_write can access fields outside of the copied range. Specifically, env->uc needs to be NULL when accessed for a context.
  • When restoring to a CPU with a different nr than the source CPU, copy min(nr, ctx_nr) instead of nothing at all.
  • Add regression tests checking all CPU models for arm and arm64 for trivial double-free crashes.

Fixes #2195

@droe
Avoid memory corruption in arm context save/restore code
613df32 
Addresses multiple issues in the arm context save/restore code:
-   When restoring from context, do not clobber pointers in CPUARMState
    with data from the context buffer.  This causes use-after-free bugs
    usually manifesting as double-free crashes.
-   When saving to context, do not copy pointers from CPUARMState to the
    context buffer, to avoid leaking pointers to the context.  Instead,
    zero the respective area of the context buffer, to ensure that
    reg_read and reg_write can access fields outside of the copied
    range.  Specifically, env->uc needs to be NULL when accessed for a
    context.
-   When restoring to a CPU with a different nr than the source CPU,
    copy min(nr, ctx_nr) instead of nothing at all.
-   Add regression tests checking all CPU models for arm and arm64 for
    trivial double-free crashes.

Fixes unicorn-engine#2195
@droe droe force-pushed the droe/arm-context-fix branch from 3efb186 to 613df32 Compare December 20, 2025 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@droe
Morty Proxy This is a proxified and sanitized view of the page, visit original site.