Segfault in uc_ctl_request_cache with UC_ARCH_MIPS #2240
Description
Hi, using uc_ctl_request_cache with UC_ARCH_MIPS results in a segfault.
Interestingly this seems to only happen on MIPS (both 32 and 64 bit).
Tested on the most recent commit c24c9ebe.
(found via automated fuzzing).
The following testcase reproduces the crash:
testcase.cpp
#include <cstdint>
extern "C" {
#include "/fuzz/install/include/unicorn/unicorn.h"
#include "/fuzz/install/include/unicorn/mips.h"
}
int main() {
uc_engine *uc = nullptr;
if (uc_open(UC_ARCH_MIPS, UC_MODE_MIPS32, &uc) != UC_ERR_OK) return 0;
uint64_t base = 0x1000;
uc_mem_map(uc, base, 0x1000, UC_PROT_READ | UC_PROT_EXEC | UC_PROT_WRITE);
unsigned char code[16]; for (int i=0;i<16;i++) code[i]=0x90;
uc_mem_write(uc, base, code, sizeof(code));
uc_tb tb{};
uc_ctl_request_cache(uc, base, &tb);
return 0;
}ASAN crash
==12==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d18bf4af76 bp 0x000000000006 sp 0x7ffccff5a800 T0)
==12==The signal is caused by a WRITE memory access.
==12==Hint: address points to the zero page.
#0 0x55d18bf4af76 in tcg_emit_op_mipsel /fuzz/src/qemu/tcg/tcg.c:2132:5
#1 0x55d18bf77977 in tcg_gen_op2_mipsel /fuzz/src/qemu/tcg/tcg-op.c:51:17
#2 0x55d18bf49400 in tcg_gen_op2i_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:134:5
#3 0x55d18bf49400 in tcg_gen_movi_i32 /fuzz/src/qemu/include/tcg/tcg-op.h:416:5
#4 0x55d18bf49400 in tcg_const_i32_mipsel /fuzz/src/qemu/tcg/tcg.c:1104:5
#5 0x55d18c0efa64 in mips_tr_translate_insn /fuzz/src/qemu/target/mips/translate.c:30951:19
#6 0x55d18df8db6f in translator_loop_mipsel /fuzz/src/qemu/accel/tcg/translator.c:125:9
#7 0x55d18c0e920c in gen_intermediate_code_mipsel /fuzz/src/qemu/target/mips/translate.c:31107:5
#8 0x55d18c00cdf6 in tb_gen_code_mipsel /fuzz/src/qemu/accel/tcg/translate-all.c:1759:5
#9 0x55d18c00aadd in uc_gen_tb /fuzz/src/qemu/accel/tcg/translate-all.c:1187:18
#10 0x55d18aedec5f in uc_ctl /fuzz/src/uc.c:2879:19
#11 0x55d18aeca7a1 in main /fuzz/workspace/test.cpp:14:3
#12 0x7fbbcccdcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7fbbcccdce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#14 0x55d18adef4c4 in _start (/fuzz/workspace/test+0x3894c4) (BuildId: db8496ce3bcb6dcc5fb8612e93dc0970e88d7fff)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzz/src/qemu/tcg/tcg.c:2132:5 in tcg_emit_op_mipsel