Hello everyone, I am an active maintainer of Unicorn engine (https://github.com/unicorn-engine). During my development, I found that the fstenv implementation in qemu upstream is incorrect.
Below is the code snippet from target/i386/tcg/fpu_helper.c (https://github.com/qemu/qemu/blob/266469947161aa10b1d36843580d369d5aa38589/target/i386/tcg/fpu_helper.c#L2393). > cpu_stl_data_ra(env, ptr, env->fpuc, retaddr); > cpu_stl_data_ra(env, ptr + 4, fpus, retaddr); > cpu_stl_data_ra(env, ptr + 8, fptag, retaddr); > cpu_stl_data_ra(env, ptr + 12, 0, retaddr); /* fpip */ > cpu_stl_data_ra(env, ptr + 16, 0, retaddr); /* fpcs */ > cpu_stl_data_ra(env, ptr + 20, 0, retaddr); /* fpoo */ > cpu_stl_data_ra(env, ptr + 24, 0, retaddr); /* fpos */ The value of fpip is wrongly set to 0, which should be env->fpip at least I think. In real-world usage, the fstenv is often used to obtain the current eip value from the FIP field in shellcode. According to git blame, this bug is introduced about 13 years ago: https://github.com/qemu/qemu/blame/633decd71119a4293e5e53e6059026c517a8bef0/target-i386/fpu_helper.c#L997. We also had a patch for this bug: https://github.com/unicorn-engine/unicorn/commit/59b09a71bfc6fd8b95357944f6be9aa54f424421 which you may refer to. I can also help draft a patch if necessary. I'm pretty new to qemu-devel mail list and sorry for any violation of your convention. Thanks in advance! Ziqiao
