Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ARM Stack Pointer reset on CPSR write #1984

Open
OBarronCS opened this issue Aug 5, 2024 · 2 comments
Open

ARM Stack Pointer reset on CPSR write #1984

OBarronCS opened this issue Aug 5, 2024 · 2 comments

Comments

@OBarronCS
Copy link

OBarronCS commented Aug 5, 2024

Using Unicorn to emulate an Arm binary, I noticed a behavior where the stack pointer in the emulator is being reset to 0 if the CPSR register is written after the SP register.

Here's a minimal example:

import unicorn as U

uc = U.Uc(U.UC_ARCH_ARM, U.UC_MODE_ARM)

uc.reg_write(U.arm_const.UC_ARM_REG_SP,100)
# This returns 100, as expected
print(uc.reg_read(U.arm_const.UC_ARM_REG_SP))

# Now, write something to the CPSR register
uc.reg_write(U.arm_const.UC_ARM_REG_CPSR,0x30)

# Reading from stack pointer returns 0, instead of 100
print(uc.reg_read(U.arm_const.UC_ARM_REG_SP))

Assuming this is not expected behavior in Arm, the SP register being reset may be a bug in the writing of the CPSR register. In my testing, other registers (PC or other general purpose registers) do not reset upon the CPSR being written - only the SP has this behavior.

@OBarronCS
Copy link
Author

I think I have the root cause - I noticed that the default value of CPSR (when read immediately after initialization) is 0x400001d3. The bottom bits indicate supervisor mode. Arm has banked registers - SP being one of them - which means that each processor mode (supervisor, user, etc) has it's own distinct physical SP register. When you switch modes (say from supervisor to user), the SP is saved somewhere, and then restored upon your mode switching back to user mode.

Might this be configurable?

@wtdcode
Copy link
Member

wtdcode commented Dec 29, 2024

I think I have the root cause - I noticed that the default value of CPSR (when read immediately after initialization) is 0x400001d3. The bottom bits indicate supervisor mode. Arm has banked registers - SP being one of them - which means that each processor mode (supervisor, user, etc) has it's own distinct physical SP register. When you switch modes (say from supervisor to user), the SP is saved somewhere, and then restored upon your mode switching back to user mode.

Might this be configurable?

Sorry for missing this issue. Yes, you can configure CPSR by writing new values to it. Unicorn has code to rebuild all internal states regarding the switches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants