diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2019-08-28 06:32:13 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2019-08-28 06:32:13 -0700 |
| commit | aa7f00c34df40969e6166b7bfce7c9e3faf04970 (patch) | |
| tree | e4b1a02ec9ea609df52b51688c42005bc34877e2 | |
| parent | 2dd2bbf06e27be12364add9ab1892da74a5b791e (diff) | |
| download | txr-aa7f00c34df40969e6166b7bfce7c9e3faf04970.tar.gz txr-aa7f00c34df40969e6166b7bfce7c9e3faf04970.tar.bz2 txr-aa7f00c34df40969e6166b7bfce7c9e3faf04970.zip | |
unwind: bugfix: unhandled_ex not gc-protected.
Exception info stashed into the unhandled_ex global
pseudo-frame is not protected from gc reclamation. This
allows for use-after-free errors, that can reproduce if
unwind-protect cleanup forms that go off during the processing
of an unhandled exception trigger gc. The code which deals
with unhandled exception, like error_trace, then works with
exception arguments that are now objects on the free list.
* unwind.c (uw_init): GC-protect the exception sym and
arguments stored in unhandled_ex.
| -rw-r--r-- | unwind.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1180,7 +1180,9 @@ void uw_init(void) void uw_late_init(void) { protect(&frame_type, &catch_frame_type, &handle_frame_type, - &deferred_warnings, &tentative_defs, convert(val *, 0)); + &deferred_warnings, &tentative_defs, + &unhandled_ex.ca.sym, &unhandled_ex.ca.args, + convert(val *, 0)); #if CONFIG_DEBUG_SUPPORT protect(&fcall_frame_type, &eval_frame_type, convert(val *, 0)); #endif |