Avoid null ptr deref when writing to arm context pc register

Author: wtdcode

qemu/target/arm/unicorn_arm.c

@@ -433,7 +433,10 @@ uc_err reg_write(void *_env, int mode, unsigned int regid, const void *value,
             CHECK_REG_TYPE(uint32_t);
             env->pc = (*(uint32_t *)value & ~1);
             env->thumb = (*(uint32_t *)value & 1);
-            env->uc->thumb = (*(uint32_t *)value & 1);
+            if (env->uc) {
+                // This can be NULL if env is a context
+                env->uc->thumb = (*(uint32_t *)value & 1);
+            }
             env->regs[15] = (*(uint32_t *)value & ~1);
             *setpc = 1;
             break;
@@ -754,7 +757,8 @@ static uc_err uc_arm_context_restore(struct uc_struct *uc, uc_context *context)
     ARM_ENV_RESTORE(env->sau.rlar)
 
 #undef ARM_ENV_RESTORE
-
+    // Overwrite uc to our uc
+    env->uc = uc;
     return UC_ERR_OK;
 }
 

tests/unit/test_arm.c

@@ -757,12 +757,15 @@ static void test_arm_context_save(void)
     uc_engine *uc2;
     char code[] = "\x83\xb0"; // sub    sp, #0xc
     uc_context *ctx;
+    uint32_t pc;
 
     uc_common_setup(&uc, UC_ARCH_ARM, UC_MODE_THUMB, code, sizeof(code) - 1,
                     UC_CPU_ARM_CORTEX_R5);
 
     OK(uc_context_alloc(uc, &ctx));
     OK(uc_context_save(uc, ctx));
+    OK(uc_context_reg_read(ctx, UC_ARM_REG_PC, (void*)&pc));
+    OK(uc_context_reg_write(ctx, UC_ARM_REG_PC, (void*)&pc));
     OK(uc_context_restore(uc, ctx));
 
     uc_common_setup(&uc2, UC_ARCH_ARM, UC_MODE_THUMB, code, sizeof(code) - 1,