Emulating ARM64 code fails immediately with UC_ERR_FETCH_UNMAPPED

[danzat]

It appears as though unicornafl has some issue with emulating ARM64 code.

The following snippet, when linked against unicornafl (-lunicornafl) will terminate with an UC_ERR_FETCH_UNMAPPED error:

#include <stdio.h>

#include <unicorn/unicorn.h>

unsigned char code[] = {0xff, 0x43, 0x00, 0xd1}; // sub sp, sp, 0x10

int main(int argc, char *argv[])
{
    uint64_t address = 0x2000;
    uc_engine *uc = NULL;
    uc_err err = uc_open(UC_ARCH_ARM64, UC_MODE_ARM, &uc);
    uc_mem_map(uc, address, 0x1000, UC_PROT_ALL);
    uc_mem_write(uc, address, code, sizeof(code));
    uint64_t sp = 0x20;
    printf("Before: sp=0x%lx\n", sp);
    uc_reg_write(uc, UC_ARM64_REG_SP, &sp);
    err = uc_emu_start(uc, address, address + sizeof(code), 0, 0);
    if (err) {
        fprintf(stderr, "Emulation error: %u (%s)\n", err, uc_strerror(err));
        return -1;
    }
    uc_reg_read(uc, UC_ARM64_REG_SP, &sp);
    printf("After: sp=0x%lx\n", sp);
    return 0;
}

Running this results in:

Emulation error: 8 (Invalid memory fetch (UC_ERR_FETCH_UNMAPPED))

On some further digging (trying to hook fetch errors), it appears as though it tries to fetch from address 0. Maybe this can help track down the problem.

Compiling the same code against regular unicorn (-lunicorn) will run as expected:

Before: sp=0x20
After: sp=0x10

Could this be something that's already been fixed in upstream unicorn-engine? Maybe it's time for a rebase?

[domenukk]

Thanks for the report, I will try to merge master later, hopefully, that'll do the trick :)

[domenukk]

I've merged upstream unicorn in 8cca480 (afl++ AFLplusplus/AFLplusplus@f0e81b2 ) if you want to try

[domenukk]

Please reopen if this problem persists.