Avoid memory corruption in arm context save/restore code by droe · Pull Request #2276 · unicorn-engine/unicorn

droe · 2025-12-20T22:17:02Z

Addresses multiple issues in the arm context save/restore code:

When restoring from context, do not clobber pointers in CPUARMState with data from the context buffer. This causes use-after-free bugs usually manifesting as double-free crashes.
When saving to context, do not copy pointers from CPUARMState to the context buffer, to avoid leaking pointers to the context. Instead, zero the respective area of the context buffer, to ensure that reg_read and reg_write can access fields outside of the copied range. Specifically, env->uc needs to be NULL when accessed for a context.
When restoring to a CPU with a different nr than the source CPU, copy min(nr, ctx_nr) instead of nothing at all.
Add regression tests checking all CPU models for arm and arm64 for trivial double-free crashes.

wtdcode · 2026-01-16T08:27:31Z


 #undef ARM_ENV_RESTORE
-    // Overwrite uc to our uc
-    env->uc = uc;


Is this removed by design?

Yes. We no longer clobber env->uc during restore, hence we do not need to fix env->uc to the correct uc after clobbering it with a potentially stale or mismatching pointer from the context.

wtdcode · 2026-01-16T08:31:42Z

LGTM except Specifically, env->uc needs to be NULL when accessed for a context.. Could you elaborate the reason?

droe · 2026-01-16T13:35:03Z

The reason is that AArch32 reg_write wants to write to env->uc->thumb when setting pc, and it checks if uc is NULL to check if it is operating on a live uc or a context, see:

unicorn/qemu/target/arm/unicorn_arm.c

Lines 440 to 443 in d4076e1

    
           if (env->uc) { 
        
               // This can be NULL if env is a context 
        
               env->uc->thumb = (*(uint32_t *)value & 1); 
        
           }

reg_write writing to uc->thumb looks like a potential bug to me, but I did not want to investigate and touch that in this PR. Maybe this PR should address that too, what do you think?

wtdcode · 2026-01-16T15:24:52Z

The reason is that AArch32 reg_write wants to write to env->uc->thumb when setting pc, and it checks if uc is NULL to check if it is operating on a live uc or a context, see:

unicorn/qemu/target/arm/unicorn_arm.c

Lines 440 to 443 in d4076e1

if (env->uc) {

// This can be NULL if env is a context

env->uc->thumb = (*(uint32_t *)value & 1);

}

reg_write writing to uc->thumb looks like a potential bug to me, but I did not want to investigate and touch that in this PR. Maybe this PR should address that too, what do you think?

This points to a903fa1

Would you mind rebasing your branch to the latest dev so that we can have CI to run?

droe · 2026-01-16T15:39:19Z

Rebased on latest dev.

wtdcode · 2026-01-16T15:44:26Z

mingw test failure is Github Action bug.

droe · 2026-01-17T16:36:37Z

This points to a903fa1

I am not sure why thumb is a property of uc and not part of the CPU state, but thinking about it some more, the behaviour makes sense. I think this PR can go in as is (unless there are any concerns of course).

Addresses multiple issues in the arm context save/restore code: - When restoring from context, do not clobber pointers in CPUARMState with data from the context buffer. This causes use-after-free bugs usually manifesting as double-free crashes. - When saving to context, do not copy pointers from CPUARMState to the context buffer, to avoid leaking pointers to the context. Instead, zero the respective area of the context buffer, to ensure that reg_read and reg_write can access fields outside of the copied range. Specifically, env->uc needs to be NULL when accessed for a context. - When restoring to a CPU with a different nr than the source CPU, copy min(nr, ctx_nr) instead of nothing at all. - Add regression tests checking all CPU models for arm and arm64 for trivial double-free crashes. Fixes unicorn-engine#2195

droe · 2026-01-18T20:49:51Z

Rebased on top of latest dev and resolved merge conflict.

droe force-pushed the droe/arm-context-fix branch from 3efb186 to 613df32 Compare December 20, 2025 23:13

wtdcode reviewed Jan 16, 2026

View reviewed changes

droe force-pushed the droe/arm-context-fix branch from 2112f44 to 027015b Compare January 16, 2026 15:39

droe added 2 commits January 18, 2026 21:46

Add cautionary comment for AArch64 uc->cpu_context_size

cd473c7

droe force-pushed the droe/arm-context-fix branch from 027015b to cd473c7 Compare January 18, 2026 20:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Avoid memory corruption in arm context save/restore code#2276

Avoid memory corruption in arm context save/restore code#2276
droe wants to merge 2 commits into
unicorn-engine:devfrom
droe:droe/arm-context-fix

droe commented Dec 20, 2025

Uh oh!

wtdcode Jan 16, 2026

Uh oh!

droe Jan 16, 2026

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 16, 2026 •

edited

Loading

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 16, 2026

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 17, 2026

Uh oh!

droe commented Jan 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

droe commented Dec 20, 2025

Uh oh!

wtdcode Jan 16, 2026

Choose a reason for hiding this comment

Uh oh!

droe Jan 16, 2026

Choose a reason for hiding this comment

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 16, 2026

Uh oh!

wtdcode commented Jan 16, 2026

Uh oh!

droe commented Jan 17, 2026

Uh oh!

droe commented Jan 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

droe commented Jan 16, 2026 •

edited

Loading