From 565ef4bbe9e5c69cc482b93d484f2c587e76887d Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Wed, 28 Aug 2019 06:32:13 -0700
Subject: unwind: bugfix: unhandled_ex not gc-protected.

Exception info stashed into the unhandled_ex global
pseudo-frame is not protected from gc reclamation.  This
allows for use-after-free errors, that can reproduce if
unwind-protect cleanup forms that go off during the processing
of an unhandled exception trigger gc. The code which deals
with unhandled exception, like error_trace, then works with
exception arguments that are now objects on the free list.

* unwind.c (uw_init): GC-protect the exception sym and
arguments stored in unhandled_ex.
---
 unwind.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/unwind.c b/unwind.c
index b2e315b4..3495213d 100644
--- a/unwind.c
+++ b/unwind.c
@@ -1180,7 +1180,9 @@ void uw_init(void)
 void uw_late_init(void)
 {
   protect(&frame_type, &catch_frame_type, &handle_frame_type,
-          &deferred_warnings, &tentative_defs, convert(val *, 0));
+          &deferred_warnings, &tentative_defs,
+          &unhandled_ex.ca.sym, &unhandled_ex.ca.args,
+          convert(val *, 0));
 #if CONFIG_DEBUG_SUPPORT
   protect(&fcall_frame_type, &eval_frame_type, convert(val *, 0));
 #endif
-- 
cgit v1.2.3