diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2019-08-28 06:32:13 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2019-08-28 06:32:13 -0700 |
| commit | 565ef4bbe9e5c69cc482b93d484f2c587e76887d (patch) | |
| tree | e4b1a02ec9ea609df52b51688c42005bc34877e2 /unwind.c | |
| parent | 393f9629e6575aa3a48a9e21bfb48b75490cb5e9 (diff) | |
| download | txr-565ef4bbe9e5c69cc482b93d484f2c587e76887d.tar.gz txr-565ef4bbe9e5c69cc482b93d484f2c587e76887d.tar.bz2 txr-565ef4bbe9e5c69cc482b93d484f2c587e76887d.zip | |
unwind: bugfix: unhandled_ex not gc-protected.
Exception info stashed into the unhandled_ex global
pseudo-frame is not protected from gc reclamation. This
allows for use-after-free errors, that can reproduce if
unwind-protect cleanup forms that go off during the processing
of an unhandled exception trigger gc. The code which deals
with unhandled exception, like error_trace, then works with
exception arguments that are now objects on the free list.
* unwind.c (uw_init): GC-protect the exception sym and
arguments stored in unhandled_ex.
Diffstat (limited to 'unwind.c')
| -rw-r--r-- | unwind.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1180,7 +1180,9 @@ void uw_init(void) void uw_late_init(void) { protect(&frame_type, &catch_frame_type, &handle_frame_type, - &deferred_warnings, &tentative_defs, convert(val *, 0)); + &deferred_warnings, &tentative_defs, + &unhandled_ex.ca.sym, &unhandled_ex.ca.args, + convert(val *, 0)); #if CONFIG_DEBUG_SUPPORT protect(&fcall_frame_type, &eval_frame_type, convert(val *, 0)); #endif |