empus commented 3 years ago

version: eggdrop 1.9.0 (and I believe, 1.8.4)
make type: debug
configure options: --prefix --enable-tdns
no patches
tcl 8.6.11
external script (Armour)
FreeBSD 12.2-RELEASE-p1 (amd64)
happening rather frequently (multiple times a day), but only on one bot on this machine (with others running the same build and same script).

Example 1:

(gdb) bt

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

1 0x00000008004516d4 in Tcl_UtfToLower () from /usr/local/lib/libtcl86.so.1

2 0x00000008003f635e in ?? () from /usr/local/lib/libtcl86.so.1

3 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

4 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

5 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

6 0x0000000000253c55 in trigger_bind (proc=0x8014b10a0 "arm::arm:pubm:binds", param=0x801478820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", mask=) at tclhash.c:748

7 0x0000000000253972 in check_tcl_bind (tl=0x800ccd830, match=0x7fffffff5670 "#USA \360\237\245\261", atr=0x7fffffff5e70, param=0x801478820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", match_type=562) at tclhash.c:891

8 0x0000000801490f3e in check_tclpubm (nick=0x7fffffff5c70 "Mystic", from=, chname=0x800cc6048 "#USA", msg=0x80242fe76 "\360\237\245\261") at .././irc.mod/irc.c:934

9 gotmsg (from=0x80242fe76 "\360\237\245\261", msg=0x80242fe76 "\360\237\245\261") at ./chan.c:2492

10 0x0000000801461881 in server_raw (cd=0x8014908b0 , irp=0x800d3b710, argc=, argv=) at .././server.mod/server.c:1301

11 0x000000080036bfd2 in ?? () from /usr/local/lib/libtcl86.so.1

12 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

13 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

14 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

15 0x0000000000253c55 in trigger_bind (proc=0x800d002e0 "*raw:irc:msg", param=0x80145985c " $_raw1 $_raw2 $_raw3", mask=) at tclhash.c:748

16 0x0000000000253972 in check_tcl_bind (tl=0x800ccd410, match=0x7fffffffc8b1 "PRIVMSG", atr=0x0, param=0x80145985c " $_raw1 $_raw2 $_raw3", match_type=161) at tclhash.c:891

17 0x000000080146dfbe in check_tclraw (from=0x7fffffffc881 "Mystic!~Android@bb121-6-125-170.singnet.com.sg", code=0x7fffffffc8b1 "PRIVMSG", msg=0x7fffffffc8b9 "#usa :\360\237\245\261") at ./servmsg.c:192

18 server_activity (idx=, tagmsg=, len=) at ./servmsg.c:1198

19 0x0000000000243a3e in mainloop (toplevel=1) at ./main.c:868

20 0x00000000002443fa in main (arg_c=, arg_v=) at ./main.c:1296

(gdb)

Example 2:

Reading symbols from eggdrop-1.9.0... [New LWP 102042] Core was generated by `./eggdrop pentagon.conf'. Program terminated with signal SIGSEGV, Segmentation fault.

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

(gdb) bt

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

1 0x00000008004516d4 in Tcl_UtfToLower () from /usr/local/lib/libtcl86.so.1

2 0x00000008003f635e in ?? () from /usr/local/lib/libtcl86.so.1

3 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

4 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

5 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

6 0x0000000000253c55 in trigger_bind (proc=0x8014ca0a0 "arm::arm:pubm:binds", param=0x80148c820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", mask=) at tclhash.c:748

7 0x0000000000253972 in check_tcl_bind (tl=0x800ccd830, match=0x7fffffff5570 "#USA 😂", atr=0x7fffffff5d70, param=0x80148c820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5",

match_type=562) at tclhash.c:891

8 0x00000008014a4f3e in check_tcl_pubm (nick=0x7fffffff5b70 "cheshire", from=, chname=0x800ceb048 "#USA", msg=0x8015b6696 "😂") at .././irc.mod/irc.c:934

9 gotmsg (from=0x8015b6696 "😂", msg=0x8015b6696 "😂") at ./chan.c:2492

10 0x000000080146f881 in server_raw (cd=0x8014a48b0 , irp=0x800d57710, argc=, argv=) at .././server.mod/server.c:1301

11 0x000000080036bfd2 in ?? () from /usr/local/lib/libtcl86.so.1

12 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

13 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

14 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

15 0x0000000000253c55 in trigger_bind (proc=0x800d002e0 "*raw:irc:msg", param=0x80146785c " $_raw1 $_raw2 $_raw3", mask=) at tclhash.c:748

16 0x0000000000253972 in check_tcl_bind (tl=0x800ccd410, match=0x7fffffffc7aa "PRIVMSG", atr=0x0, param=0x80146785c " $_raw1 $_raw2 $_raw3", match_type=161) at tclhash.c:891

17 0x000000080147bfbe in check_tcl_raw (from=0x7fffffffc781 "cheshire!cheshire@time.2get.nawty.ugo.si", code=0x7fffffffc7aa "PRIVMSG", msg=0x7fffffffc7b2 "#usa :😂")

at ./servmsg.c:192

18 server_activity (idx=, tagmsg=, len=) at ./servmsg.c:1198

19 0x0000000000243a3e in mainloop (toplevel=1) at ./main.c:868

20 0x00000000002443fa in main (arg_c=, arg_v=) at ./main.c:1296

(gdb)

vanosg commented 3 years ago

Thanks for the report- we're looking into this, the first two guesses are that it has something to do with unicode characters, and the server_raw/gotmsg functions not properly handling them

michaelortmann commented 3 years ago

I can repeat the crash.

tcl tolower() crashes on Unicode like "yawning face" (\360\237\245\261)

and it is not limited to freebsd. i can repeat the crash unter freebsd and linux at least. both systems with tcl 8.6.11.

$ uname -a FreeBSD freebsd12 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC amd64

eggdrop.conf:

bind pubm - * test; proc test {nick uhost hand chan text} {
  if {[string tolower $text] == "test"} {
    return;
  }
}

then start eggdrop, connect it to an irc server, let it join a channel

and then send an unicode like \360\237\245\261 to the channel with another client, like this eggdrop.yawning.face.py:

import os
import random
import socket
import sys

CHARSET_NICK = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

if len(sys.argv) != 4:
    print("Usage: %s <ircserverhost> <ircserverport> <targetchan>" % sys.argv[0])
    sys.exit(os.EX_USAGE)

nick = ""

for i in range (0, 9):
    nick += CHARSET_NICK[random.randint(0, len(CHARSET_NICK) - 1)]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], int(sys.argv[2])))
s.sendall(("NICK %s\nUSER %s %s %s :%s\n" % (nick, nick, nick, nick, nick)).encode('utf-8'))

while True:
    line = s.recv(512)

    if (" 001 %s :" % nick).encode('utf-8') in line:
          break

s.sendall(("JOIN #%s\n" % sys.argv[3]).encode('utf-8'))
import time
time.sleep(1)
s.sendall(("PRIVMSG #%s :" %sys.argv[3]).encode('utf-8') + b"\360\237\245\261" + "\n".encode('utf-8'))

$ ./eggdrop.yawning.face.py 127.0.0.1 6667 test6888

and voila:

.console +r
.jump 192.168.1.3
[18:04:01] [@] :shcBGdQBp!~shcBGdQBp@localhost JOIN :#test6888
[18:04:02] [@] :shcBGdQBp!~shcBGdQBp@localhost PRIVMSG #test6888 :🥱
[18:04:02] triggering bind test
Segmentation fault (core dumped)

So, this is serious bug, for potentially any eggdrop with a tcl script loaded that does string processing like tolower() is DOSable. But i dont think this is the case for default installs without any external tcl.

And here is a crash under linux:

$ uname -a
Linux zen 5.12.3-arch1-1 #1 SMP PREEMPT Wed, 12 May 2021 17:54:18 +0000 x86_64 GNU/Linux

$ ./eggdrop -v
Eggdrop v1.9.1+alpha (C) 1997 Robey Pointer (C) 1999-2021 Eggheads
Configure flags: 'CFLAGS=-O0 -g3 -fstack-protector-all -fstack-clash-protection -fsanitize=address,undefined -ldl'
Compiled with: IPv6, TLS, handlen=32

==1549474==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000a4200 at pc 0x7f511f0679fb bp 0x7ffcffab8f70 sp 0x7ffcffab8718
WRITE of size 1 at 0x6290000a4200 thread T0
    #0 0x7f511f0679fa in __interceptor_memmove /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:810
    #1 0x7f511ef9b529 in Tcl_UtfToLower (/usr/lib/libtcl8.6.so+0x134529)
[...]

michaelortmann commented 3 years ago

Here is a full backtrace with debug tcl.

eggdrop version ea8aa3150f095c84e3ef34912e6bfb0822b1b8a2

$ uname -ms
Linux x86_64

$ LD_LIBRARY_PATH=/home/michael/opt/tcl-8.6.11/lib ./eggdrop -v
Eggdrop v1.9.1+alpha (C) 1997 Robey Pointer (C) 1999-2021 Eggheads
Configure flags: '--with-tcllib=/home/michael/opt/tcl-8.6.11/lib/libtcl8.6.so' '--with-tclinc=/home/michael/opt/tcl-8.6.11/include/tcl.h' 'CFLAGS=-O0 -g3'
Compiled with: IPv6, TLS, handlen=32

(gdb) bt full
#0  0x00007f93cf90be8e in TclpAlloc (reqSize=64) at /home/michael/usr/src/tcl8.6.11/generic/tclThreadAlloc.c:360
        cachePtr = 0x55f532162130
        blockPtr = 0xb1b5b1b5b1b5b1b5
        bucket = 2
        size = 80
#1  0x00007f93cf7b3cf6 in Tcl_Alloc (size=64) at /home/michael/usr/src/tcl8.6.11/generic/tclCkalloc.c:1059
        result = 0x7f93cf91bf7d <VarHashCreateVar+49> "H\211E\370H\203", <incomplete sequence \370>
#2  0x00007f93cf92566c in AllocVarEntry (tablePtr=0x55f532166778, keyPtr=0x55f5321b64e0)
    at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:6277
        objPtr = 0x55f5321b64e0
        hPtr = 0x44354200d6b97c00
        varPtr = 0x55f5321b64e0
#3  0x00007f93cf8a3595 in CreateHashEntry (tablePtr=0x55f532166778, key=0x55f5321b64e0 "\001", newPtr=0x7ffe292b9ff0)
    at /home/michael/usr/src/tcl8.6.11/generic/tclHash.c:366
        hPtr = 0x0
        typePtr = 0x7f93cf99f680 <tclVarHashKeyType>
        hash = 711995
        index = 59
#4  0x00007f93cf91bf7d in VarHashCreateVar (tablePtr=0x55f532166778, key=0x55f5321b64e0, newPtr=0x7ffe292b9ff0)
    at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:63
        hPtr = 0x7f93cf91d230 <TclLookupSimpleVar+864>
#5  0x00007f93cf91d2c9 in TclLookupSimpleVar (interp=0x55f532177d60, varNamePtr=0x55f5321b64e0, flags=1, create=1, 
    errMsgPtr=0x7ffe292ba0e8, indexPtr=0x7ffe292ba0d0) at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:956
        tailPtr = 0x55f5321b64e0
        tail = 0x55f53222c500 "_log2"
        lookGlobal = 1
        iPtr = 0x55f532177d60
        varFramePtr = 0x55f53217c670
        tablePtr = 0x7ffe292bca40
        var = 0x1ff
        varPtr = 0x0
        varNsPtr = 0x55f532166680
        cxtNsPtr = 0x55f532166680
        dummy1Ptr = 0x0
        dummy2Ptr = 0x55f532166680
        resPtr = 0x7ffe292ba2c0
        isNew = 1
        i = 0
        result = 0
        varLen = 5
        varName = 0x55f53222c500 "_log2"
#6  0x00007f93cf91cbd6 in TclObjLookupVarEx (interp=0x55f532177d60, part1Ptr=0x55f5321b64e0, part2Ptr=0x0, flags=1, 
    msg=0x7f93cf9751fb "set", createPart1=1, createPart2=1, arrayPtrPtr=0x7ffe292ba1b0)
    at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:713
        iPtr = 0x55f532177d60
        varPtr = 0x55f532249fc0
        part1 = 0x55f53222c500 "_log2"
        index = -1
        len1 = 5
        len2 = -1
        parsed = 0
        objPtr = 0x55f53222c500
        typePtr = 0x0
        errMsg = 0x0
        varFramePtr = 0x55f53217c670
        part2 = 0x0
        newPart2 = 0x0
#7  0x00007f93cf91e28b in Tcl_ObjSetVar2 (interp=0x55f532177d60, part1Ptr=0x55f5321b64e0, part2Ptr=0x0, newValuePtr=0x55f5321b64b0, 
    flags=1) at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:1761
        varPtr = 0x55f531fd44f7
        arrayPtr = 0x0
#8  0x00007f93cf91e1cd in Tcl_SetVar2Ex (interp=0x55f532177d60, part1=0x55f531fd44f7 "_log2", part2=0x0, newValuePtr=0x55f5321b64b0, 
    flags=1) at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:1701
        resPtr = 0x55f531fd0693
--Type <RET> for more, q to quit, c to continue without paging--c
        part2Ptr = 0x0
        part1Ptr = 0x55f5321b64e0
#9  0x00007f93cf91e104 in Tcl_SetVar2 (interp=0x55f532177d60, part1=0x55f531fd44f7 "_log2", part2=0x0, newValue=0x55f531fd0693 "*", flags=1) at /home/michael/usr/src/tcl8.6.11/generic/tclVar.c:1632
        varValuePtr = 0x55f5321b6270
#10 0x000055f531fb33bf in check_tcl_log (lv=32, chan=0x55f531fd0693 "*", msg=0x7ffe292ba5db "* Last context: tclhash.c/734 [Tcl proc: test, param:  $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5]") at tclhash.c:1250
        mask = "* * Last context: tclhash.c/734 [Tcl proc: test, param:  $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5]\000+)\376\177\000\000\034#\000\000\000\000\000\000`\243+)\376\177\000\000W\a\375\061\365U\000\000(\245+)\376\177\000\000\212\037\rϓ\177\000\000\000\000\000\000\000\000\000\000P\244+)\376\177\000\000\001\200\255\373\000\000\000\000ۥ+)\376\177\000\000ۥ+)\376\177\000\000ۥ+)\376\177\000\000ۥ+)\376\177\000\000:\246+)\376"...
#11 0x000055f531f9a781 in putlog (arg1=32) at misc.c:569
        inhere = 1
        i = 32766
        type = 32
        tsl = 11
        format = 0x55f531fd0757 "* Last context: %s/%d [%s]"
        chname = 0x55f531fd0693 "*"
        s = "\000\246+)\376\177\000\000\346\227\370* Last context: tclhash.c/734 [Tcl proc: test, param:  $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5]\000\000\060\000\000\000@\312+)\376\177\000\000\200\311+)\376\177\000\000[19:46:28] Connected to 127.0.0.1\n", '\000' <repeats 1678 times>...
        s1 = "W\356+)\376\177", '\000' <repeats 42 times>, "\020\245\024\062\200\000\000\000\000\000\000\000\a", '\000' <repeats 27 times>, "\061\002\021ϓ\177\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000\260R!ϓ\177\000\000n\000\000\000\000\000\000\000\377\377\377\377\000\000\000\000\365 \021ϓ\177\000\000\300~!ϓ\177\000\000\000`!ϓ\177", '\000' <repeats 18 times>, "\201\375\243`\000\000\000\000\300~!ϓ\177\000\000\001\000\000\000\064\061\000\000\000|\271\326\000B"...
        out = 0x7ffe292ba5db "* Last context: tclhash.c/734 [Tcl proc: test, param:  $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5]"
        ct = "r\246+)\376\177\000\000\000\000\000\000\377", '\000' <repeats 11 times>, "\360\200\374\061\365U\000\000Х+)\376\177\000\000\231%\370\061\365U\000\000\000\000\000\000\000\000\000\000\220)%2\365U\000\000P\246+)\376\177\000\000\000\000\000\000\003\000\000\000P"
        s2 = 0x0
        stamp = "[19:46:41] \000\365U\000\000P\246+)\376\177\000\000\"\000\000\000\001\000\000\000\000"
        va = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7ffe292bed10, reg_save_area = 0x7ffe292bec40}}
        now2 = 1621360001
        now2_last = 1621360001
        t = 0x7f93cf217ec0 <_tmbuf>
#12 0x000055f531f9492e in write_debug () at ./main.c:298
        x = 32766
        s = "\320A\033\062\365U\000\000\377\377\377\377\376\177\000\000\260\065,)\000\000\000\000\b"
        y = 690744568
#13 0x000055f531f94e5c in got_segv (z=11) at ./main.c:389
No locals.
#14 <signal handler called>
No symbol table info available.
#15 0x00007f93cf9149e2 in Tcl_UtfToUniChar (src=0x55f532265ffe "\265\261"<error: Cannot access memory at address 0x55f532266000>, chPtr=0x7ffe292bf35c) at /home/michael/usr/src/tcl8.6.11/generic/tclUtf.c:407
        byte = 181
#16 0x00007f93cf916a17 in TclUtfToUCS4 (src=0x55f532265ffe "\265\261"<error: Cannot access memory at address 0x55f532266000>, ucs4Ptr=0x7ffe292bf39c) at /home/michael/usr/src/tcl8.6.11/generic/tclUtf.c:2388
        ch = 0
        len = 1
#17 0x00007f93cf915511 in Tcl_UtfToLower (str=0x55f53222c360 "\355\240\276\355\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"...) at /home/michael/usr/src/tcl8.6.11/generic/tclUtf.c:1108
        ch = 177
        lowChar = 177
        src = 0x55f532265ffe "\265\261"<error: Cannot access memory at address 0x55f532266000>
        dst = 0x55f532266000 <error: Cannot access memory at address 0x55f532266000>
        len = 1
#18 0x00007f93cf88d28f in TEBCresume (data=0x55f5321b6368, interp=0x55f532177d60, result=0) at /home/michael/usr/src/tcl8.6.11/generic/tclExecute.c:5537
        match = 32659
        s2len = 841100464
        numIndices = 32766
        fromIdx = 690746864
        nocase = -811904559
        s1 = 0x55f532219cb0 "🥱"
        index = 840400224
        toIdx = 841100464
        length2 = 841100464
        cflags = 32659
        s1len = 690746864
        s2 = 0x2032166778 <error: Cannot access memory at address 0x2032166778>
        instructionCount = 2
        curInstName = <optimized out>
        compiledLocals = 0x55f53217c6e0
        constants = 0x55f53216d918
        TD = 0x55f53217c740
        tosPtr = 0x55f53217c7b0
        pc = 0x55f5321bb602 "\257\001"
        inst = 175 '\257'
        cleanup = 0
        objResultPtr = 0x55f5321b62d0
        checkInterp = 1
        objPtr = 0x55f5321b5e50
        valuePtr = 0x55f5321b2880
        value2Ptr = 0x3700000003
        part1Ptr = 0x0
        part2Ptr = 0x55f532166680
        tmpPtr = 0x300000000
        objv = 0x0
        objc = 0
        opnd = 4
        length = 4
        pcAdjustment = 22005
        varPtr = 0x55f53217c720
        arrayPtr = 0x55f532222940
#19 0x00007f93cf7a591f in TclNRRunCallbacks (interp=0x55f532177d60, result=0, rootPtr=0x55f5321b5e20) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:4493
        callbackPtr = 0x55f5321b6360
        procPtr = 0x7f93cf881c30 <TEBCresume>
        iPtr = 0x55f532177d60
#20 0x00007f93cf7a508a in Tcl_EvalObjv (interp=0x55f532177d60, objc=6, objv=0x55f53217c500, flags=2097168) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:4216
        result = 0
        rootPtr = 0x55f5321b5e20
#21 0x00007f93cf7a79c9 in TclEvalEx (interp=0x55f532177d60, script=0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", numBytes=44, flags=0, line=1, clNextOuter=0x0, outerScript=0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5") at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5362
        wordLine = 1
        wordCLNext = 0x0
        objectsNeeded = 6
        wordStart = 0x7ffe292bfda5 "$_pubm5"
        numWords = 6
        iPtr = 0x55f532177d60
        p = 0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5"
        next = 0x55f5321b5b50 "\002"
        minObjs = 20
        objv = 0x55f53217c500
        objvSpace = 0x55f53217c500
        expand = 0x55f53217c5b0
        lines = 0x55f53217c610
        lineSpace = 0x55f53217c610
        tokenPtr = 0x55f53217c448
        commandLength = 32659
        bytesLeft = 44
        expandRequested = 0
        code = 0
        savedVarFramePtr = 0x55f53216d890
        allowExceptions = 0
        gotParse = 1
        i = 840653648
        objectsUsed = 6
        parsePtr = 0x55f53217c250
        eeFramePtr = 0x55f53217c4a0
        stackObjArray = 0x55f53217c500
        expandStack = 0x55f53217c5b0
        linesStack = 0x55f53217c610
        clNext = 0x0
#22 0x00007f93cf7a6c5c in Tcl_EvalEx (interp=0x55f532177d60, script=0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", numBytes=-1, flags=0) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5027
No locals.
#23 0x00007f93cf7a85a9 in Tcl_Eval (interp=0x55f532177d60, script=0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5") at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5956
        code = 32766
#24 0x00007f93cf7a9d49 in Tcl_VarEvalVA (interp=0x55f532177d60, argList=0x7ffe292bfe80) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:6955
        buf = {string = 0x7ffe292bfd80 "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", length = 44, spaceAvl = 200, staticSpace = "test $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5\000\177\000\000 \376+)\376\177\000\000\000f\025\062\365U\000\000\220!\033\062\365U\000\000\000f\025\062\365U\000\000\020\376+)\376\177\000\000\302Ԑϓ\177\000\000\200o\034\062\365U\000\000\000\000\000\000\000\000\000\000P[\033\062\365U\000\000@m\033\062\365U\000\000P[\033\062\006", '\000' <repeats 12 times>, "}\226ϓ\177\000\000嵐ϓ\177\000\000@\376+)\376\177\000\000\017\063\212ϓ\177\000\000P[\033\062\365U\000\000@m\033\062\365U\000\000\220\376+)\376\177\000"}
        string = 0x0
        result = 32766
#25 0x00007f93cf7a9e2b in Tcl_VarEval (interp=0x55f532177d60) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:6987
        argList = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffe292bff60, reg_save_area = 0x7ffe292bfea0}}
        result = 22005
#26 0x000055f531fb1793 in trigger_bind (proc=0x55f53224d650 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"..., param=0x7f93ce454290 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", mask=0x55f53224d5f0 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"...) at tclhash.c:748
        x = 63
        ru1 = {ru_utime = {tv_sec = 0, tv_usec = 17256}, ru_stime = {tv_sec = 0, tv_usec = 0}, {ru_maxrss = 11244, __ru_maxrss_word = 11244}, {ru_ixrss = 0, __ru_ixrss_word = 0}, {ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 839, __ru_minflt_word = 839}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 0, __ru_nswap_word = 0}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 24, __ru_oublock_word = 24}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 0, __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 23, __ru_nvcsw_word = 23}, {ru_nivcsw = 0, __ru_nivcsw_word = 0}}
        ru2 = {ru_utime = {tv_sec = 0, tv_usec = 0}, ru_stime = {tv_sec = 0, tv_usec = 94511593762803}, {ru_maxrss = 140729589170816, __ru_maxrss_word = 140729589170816}, {ru_ixrss = 94511596623344, __ru_ixrss_word = 94511596623344}, {ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 1, __ru_isrss_word = 1}, {ru_minflt = 5, __ru_minflt_word = 5}, {ru_majflt = 94511596623345, __ru_majflt_word = 94511596623345}, {ru_nswap = 140729589170816, __ru_nswap_word = 140729589170816}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 140729589170608, __ru_oublock_word = 140729589170608}, {ru_msgsnd = 94511596623384, __ru_msgsnd_word = 94511596623384}, {ru_msgrcv = 140729589170368, __ru_msgrcv_word = 140729589170368}, {ru_nsignals = 94511593888536, __ru_nsignals_word = 94511593888536}, {ru_nvcsw = 32, __ru_nvcsw_word = 32}, {ru_nivcsw = 2417374100480, __ru_nivcsw_word = 2417374100480}}
        r = 0
        buf = 0x55f53225a620 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"...
#27 0x000055f531fb1cdb in check_tcl_bind (tl=0x55f532216a80, match=0x7ffe292c0280 "#test6888 🥱", atr=0x7ffe292c01b0, param=0x7f93ce454290 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", match_type=562) at tclhash.c:891
        x = 840640640
        result = 0
        cnt = 1
        finish = 0
        proc = 0x0
        mask = 0x0
        tm = 0x55f53224d520
        tm_last = 0x0
        tm_p = 0x0
        tc = 0x55f53224d610
        htc = 0x0
        str = 0x5 <error: Cannot access memory at address 0x5>
        varName = 0x55f532177d60 "8\177\027\062\365U"
        brkt = 0x55f5321b2880 "\004"
#28 0x00007f93ce44f044 in check_tcl_pubm (nick=0x7ffe292c0710 "smNgzQmsq", from=0x7ffe292c071a "~smNgzQmsq@localhost", chname=0x55f53224d6b8 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"..., msg=0x55f532219c7b "🥱") at .././irc.mod/irc.c:934
        fr = {match = 5, global = 0, udef_global = 0, bot = 0, chan = 0, udef_chan = 0}
        x = 0
        buf = "#test6888 🥱\000Dp\005,)\376\177\000\000\000\000\000\000B\000\000\000\360\002,)\376\177\000\000\233h\372\061\365U\000\000 \241\376\061\365U\000\000\020\a,)\376\177\000\000`\004,)\376\177\000\000\212\037\r\317\021\000\000\000\020\a,)\376\177\000\000 \241\376\061\365U\000\000\001\200\255\373\376\177\000\000\330\025\366\061\365U\000\000\020\a,)\376\177\000\000p\326$2\365U\000\000\330\025\366\061\365U\000\000\220\344\026\062\365U\000\000\220\006,)\376\177\000\000\345KBΓ\177", '\000' <repeats 18 times>, "p\326$2\365U\000\000\020/#2\365U\000\000\032\a,)\376\177\000\000\020\a,)"...
        host = "smNgzQmsq!~smNgzQmsq@localhost", '\000' <repeats 18 times>, "\005", '\000' <repeats 11 times>, "\223\177\000\000\000\000\000\000\000\000\000\000\200\002,)\376\177\000\000s\005,)\376\177\000\000\000|\271\326\000B5D\020\005,)\376\177\000\000\000\000\000\000\000\000\000\000\020\005,)\376\177\000\000c\000\000\000\000\000\000\000\200\002,)\376\177\000\000j\037\375\061\365U\000\000\000\004,)\376\177\000\000\212\037\rϓ\177\000\000\240"
        u = 0x0
#29 0x00007f93ce42fdae in gotmsg (from=0x55f532232f10 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"..., msg=0x55f532219c7b "🥱") at .././irc.mod/chan.c:2496
        result = 0
        to = 0x55f532219c70 "#test6888"
        realto = 0x55f532219c70 "#test6888"
        buf = "smNgzQmsq\000~smNgzQmsq@localhost\000\000\000\000\000\000\005\000\000\000؛$2\365U\000\000\200f\026\062\365U\000\000\000\000\000\000\000\000\000\000\340\322\"2\365U\000\000\345\322\"2\365U\000\000xg\026\062\365U\000\000`}\027\062\365U\000\000\200f\026\062\365U\000\000\020\300\"2\365U\000\000\220\a,)\376\177\000\000\060\b,)\376\177\000\000\020\t,)\376\177\000\000\370\261\215ϓ\177\000\000p\t,)\376\177\000\000h\t,)\376\177\000\000\270\t,)\376\177\000\000\260\t,)\376\177\000\000 ^\033\062\000\000\000\000\200f\026\062\365U\000\000`\301\"2\365U\000\000`}"...
        nick = 0x7ffe292c0710 "smNgzQmsq"
        buf2 = "\020\t,)\376\177\000\000؛$2\365U\000\000\020\t,)\376\177\000\000jC\222ϓ\177\000\000&A\375\061\001\000\004\000\071>\212ϓ\177\000\000\000\213\034\062\365U\000\000`\301\"2\365U\000\000`\301\"2\365U\000\000 \213\034\062\365U\000\000\000\t,)\376\177\000\000\276\064\212ϓ\177", '\000' <repeats 18 times>, "`\301\"2\365U\000\000 g\026\062\365U\000\000m\362\064qm\000\000\000\000\213\034\062\365U\000\000\200ޙϓ\177\000\000\002>\212ϓ\177\000\000 \t,)\376\177\000\000\017\063\212ϓ\177\000\000`\301\"2\365U\000\000 g\026\062\365U\000\000\320\t,)\376\177\000\000\377\272\215ϓ\177\000\000H"...
        uhost = 0x7ffe292c071a "~smNgzQmsq@localhost"
        p = 0x0
        p1 = 0x7ffe292c08a8 " \213\034\062\365U"
        code = 0x7ffe292c08f8 "\002>\212ϓ\177"
        ctcp = 0x200000000 <error: Cannot access memory at address 0x200000000>
        ctcp_count = 0
        ignoring = 0
        chan = 0x55f53224d670
        u = 0x7ffe292c08f0
#30 0x00007f93ce4718b6 in server_raw (cd=0x7f93ce42f5b4 <gotmsg>, irp=0x55f532177d60, argc=4, argv=0x55f53225db10) at .././server.mod/server.c:1301
        F = 0x7f93ce42f5b4 <gotmsg>
#31 0x000055f531fa74c1 in tcl_call_stringproc_cd (cd=0x55f5322161a0, interp=0x55f532177d60, objc=4, objv=0x55f53217c0e0) at tcl.c:325
        max = 0
        argv = 0x55f53225db10
        i = 4
        info = 0x55f5322161a0
#32 0x00007f93cf7a5892 in Dispatch (data=0x55f5321b5af8, interp=0x55f532177d60, result=0) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:4457
        objProc = 0x55f531fa73de <tcl_call_stringproc_cd>
        clientData = 0x55f5322161a0
        objc = 4
        objv = 0x55f53217c0e0
        iPtr = 0x55f532177d60
#33 0x00007f93cf7a591f in TclNRRunCallbacks (interp=0x55f532177d60, result=0, rootPtr=0x0) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:4493
        callbackPtr = 0x55f5321b5af0
        procPtr = 0x7f93cf7a5816 <Dispatch>
        iPtr = 0x55f532177d60
#34 0x00007f93cf7a508a in Tcl_EvalObjv (interp=0x55f532177d60, objc=4, objv=0x55f53217c0e0, flags=2097168) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:4216
        result = 0
        rootPtr = 0x0
#35 0x00007f93cf7a79c9 in TclEvalEx (interp=0x55f532177d60, script=0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3", numBytes=33, flags=0, line=1, clNextOuter=0x0, outerScript=0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3") at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5362
        wordLine = 1
        wordCLNext = 0x0
        objectsNeeded = 4
        wordStart = 0x7ffe292c0e4b "$_raw3"
        numWords = 4
        iPtr = 0x55f532177d60
        p = 0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3"
        next = 0x55f5321b6450 "\001"
        minObjs = 20
        objv = 0x55f53217c0e0
        objvSpace = 0x55f53217c0e0
        expand = 0x55f53217c190
        lines = 0x55f53217c1f0
        lineSpace = 0x55f53217c1f0
        tokenPtr = 0x55f53217bf98
        commandLength = 32659
        bytesLeft = 33
        expandRequested = 0
        code = 0
        savedVarFramePtr = 0x55f53216d890
        allowExceptions = 0
        gotParse = 1
        i = 840655952
        objectsUsed = 4
        parsePtr = 0x55f53217be30
        eeFramePtr = 0x55f53217c080
        stackObjArray = 0x55f53217c0e0
        expandStack = 0x55f53217c190
        linesStack = 0x55f53217c1f0
        clNext = 0x0
#36 0x00007f93cf7a6c5c in Tcl_EvalEx (interp=0x55f532177d60, script=0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3", numBytes=-1, flags=0) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5027
No locals.
#37 0x00007f93cf7a85a9 in Tcl_Eval (interp=0x55f532177d60, script=0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3") at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:5956
        code = 32766
#38 0x00007f93cf7a9d49 in Tcl_VarEvalVA (interp=0x55f532177d60, argList=0x7ffe292c0f30) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:6955
        buf = {string = 0x7ffe292c0e30 "*raw:irc:msg $_raw1 $_raw2 $_raw3", length = 33, spaceAvl = 200, staticSpace = "*raw:irc:msg $_raw1 $_raw2 $_raw3\000\000\000\000\000\000\000\254\227\223ϓ\177\000\000\320\016,)\376\177\000\000\000f\025\062\365U\000\000\020\\\033\062\365U\000\000\000f\025\062\365U\000\000\300\016,)\376\177\000\000\302Ԑϓ\177\000\000\200o\034\062\365U\000\000\000\000\000\000\000\000\000\000Pd\033\062\365U\000\000@m\033\062\365U\000\000Pd\033\062\005", '\000' <repeats 12 times>, "}\226ϓ\177\000\000嵐ϓ\177\000\000\360\016,)\376\177\000\000\017\063\212ϓ\177\000\000Pd\033\062\365U\000\000@m\033\062\365U\000\000@\017,)\376\177\000"}
        string = 0x0
        result = 32766
#39 0x00007f93cf7a9e2b in Tcl_VarEval (interp=0x55f532177d60) at /home/michael/usr/src/tcl8.6.11/generic/tclBasic.c:6987
        argList = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffe292c1010, reg_save_area = 0x7ffe292c0f50}}
        result = 22005
#40 0x000055f531fb1793 in trigger_bind (proc=0x55f532216200 "*raw:irc:msg", param=0x7f93ce4785d3 " $_raw1 $_raw2 $_raw3", mask=0x55f5321575f0 "PRIVMSG") at tclhash.c:748
        x = 52
        ru1 = {ru_utime = {tv_sec = 1, tv_usec = 0}, ru_stime = {tv_sec = 94511596002560, tv_usec = 94511595748704}, {ru_maxrss = 25769803775, __ru_maxrss_word = 25769803775}, {ru_ixrss = 4148938407936, __ru_ixrss_word = 4148938407936}, {ru_idrss = 94511594028614, __ru_idrss_word = 94511594028614}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 94511596608448, __ru_minflt_word = 94511596608448}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 94511596002800, __ru_nswap_word = 94511596002800}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 94511596002560, __ru_oublock_word = 94511596002560}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 94511596608448, __ru_msgrcv_word = 94511596608448}, {ru_nsignals = 94511595748704, __ru_nsignals_word = 94511595748704}, {ru_nvcsw = 140728898420737, __ru_nvcsw_word = 140728898420737}, {ru_nivcsw = 0, __ru_nivcsw_word = 0}}
        ru2 = {ru_utime = {tv_sec = 0, tv_usec = 94511595748704}, ru_stime = {tv_sec = 0, tv_usec = 4914907139714677760}, {ru_maxrss = 140729589174624, __ru_maxrss_word = 140729589174624}, {ru_ixrss = 140272819364601, __ru_ixrss_word = 140272819364601}, {ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = -1, __ru_isrss_word = -1}, {ru_minflt = 16, __ru_minflt_word = 16}, {ru_majflt = 840311088, __ru_majflt_word = 840311088}, {ru_nswap = 94511596002800, __ru_nswap_word = 94511596002800}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 94511596002560, __ru_oublock_word = 94511596002560}, {ru_msgsnd = 94511595748704, __ru_msgsnd_word = 94511595748704}, {ru_msgrcv = 0, __ru_msgrcv_word = 0}, {ru_nsignals = 94511593888292, __ru_nsignals_word = 94511593888292}, {ru_nvcsw = 690762464, __ru_nvcsw_word = 690762464}, {ru_nivcsw = 695092214784, __ru_nivcsw_word = 695092214784}}
        r = 0
        buf = 0x55f532253900 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"...
#41 0x000055f531fb1cdb in check_tcl_bind (tl=0x55f532157330, match=0x7ffe292c76a0 "PRIVMSG", atr=0x0, param=0x7f93ce4785d3 " $_raw1 $_raw2 $_raw3", match_type=161) at tclhash.c:891
        x = 840654320
        result = 0
        cnt = 1
        finish = 0
        proc = 0x0
        mask = 0x0
        tm = 0x55f5321572c0
        tm_last = 0x55f532157690
        tm_p = 0x55f532157690
        tc = 0x55f5322161c0
        htc = 0x0
        str = 0x55f53225daf0 "\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261\265\261"...
        varName = 0x55f532177d60 "8\177\027\062\365U"
        brkt = 0x55f5321b5df0 "\002"
#42 0x00007f93ce462013 in check_tcl_raw (from=0x7ffe292c7681 "smNgzQmsq!~smNgzQmsq@localhost", code=0x7ffe292c76a0 "PRIVMSG", msg=0x7ffe292c76a8 "#test6888 :🥱") at .././server.mod/servmsg.c:192
        x = 1144340992
#43 0x00007f93ce466924 in server_activity (idx=4, tagmsg=0x7ffe292c7680 ":smNgzQmsq!~smNgzQmsq@localhost", len=55) at .././server.mod/servmsg.c:1198
        from = 0x7ffe292c7681 "smNgzQmsq!~smNgzQmsq@localhost"
        code = 0x7ffe292c76a0 "PRIVMSG"
        s1 = 0x0
        s2 = 0x0
        saveptr1 = 0x0
        saveptr2 = 0x0
        tagstrptr = 0x0
        token = 0x0
        subtoken = 0x0
        tagstr = '\000' <repeats 488 times>...
        tagdict = '\000' <repeats 8191 times>
        msgptr = 0x7ffe292c76a8 "#test6888 :🥱"
        rawmsg = ":smNgzQmsq!~smNgzQmsq@localhost PRIVMSG #test6888 :🥱\000te List\000st\000BotA #test6888 :End of Channel Exception List\r\n\000MES list.\r\n\000 idle, signon time\r\n:zen.localdomain 318 BotA BotA :End of WHOIS list.\r\n\000 si"...
        taglen = 0
        i = 0
        found = 0
#44 0x000055f531f9654c in mainloop (toplevel=1) at ./main.c:868
        idx = 4
        socket_cleanup = 3
        xx = 9
        i = 55
        eggbusy = 1
        tclbusy = 0
        buf = ":smNgzQmsq!~smNgzQmsq@localhost\000PRIVMSG\000#test6888 :🥱\000te List\000st\000ime\000tion, Planet Earth\000are supported by this server\000N=255 MAXLIST=beIR:64 CHANNELLEN=50 IDCHAN=!:5 CHANMODES=beIR,k,l,imnpstaqr :are supp"...
#45 0x000055f531f97b85 in main (arg_c=3, arg_v=0x7ffe292c9ab8) at ./main.c:1297
        i = -1
        xx = 1572073
        s = "1549474\n\000\070 2021\000:28 2021"
        f = 0x55f53214a300
        sv = {__sigaction_handler = {sa_handler = 0x55f531f94f96 <got_alarm>, sa_sigaction = 0x55f531f94f96 <got_alarm>}, sa_mask = {__val = {0, 0, 0, 0, 140272817215968, 140272820136328, 140272817188222, 430187518680, 4914907139714677760, 4294967295, 140272817135609, 0, 64, 8388608, 18446744073709551615, 140272817134608}}, sa_flags = 0, sa_restorer = 0x1}
        chan = 0x0
        cdlim = {rlim_cur = 18446744073709551615, rlim_max = 18446744073709551615}

Yes, thommy, i also also miss the terminating NULL here. Where is our string, that we did TCL_SetVar()? src = 0x55f532265ffe "\265\261"<error: Cannot access memory at address 0x55f532266000>

michaelortmann commented 3 years ago

i would decode the crashing code to something like if (c & 0xc0) == 0x80 which looks like a part of an utf-8 detection routine:

[0x7f5ba88859e2]> drr
role reg     value            refstr
――――――――――――――――――――――――――――――――――――
R0   rax     55f43993c000     [heap] rax
[...]
PC   rip     7f5ba88859e2     /home/michael/opt/tcl-8.6.11/lib/libtcl8.6.so rip library R X 'movzx eax, byte [rax]' 'libtcl8.6.so'
[...]
[0x7f5ba88859e2]> pd 5
            ;-- rip:
            0x7f5ba88859e2      0fb600         movzx eax, byte [rax]
            0x7f5ba88859e5      0fbec0         movsx eax, al
            0x7f5ba88859e8      25c0000000     and eax, 0xc0           ; 192
            0x7f5ba88859ed      3d80000000     cmp eax, 0x80           ; 128
        ┌─< 0x7f5ba88859f2      0f8590000000   jne 0x7f5ba8885a88

michaelortmann commented 3 years ago

The crash happens in Tcl_UtfToUniChar().

git tcl function https://github.com/tcltk/tcl/blob/main/generic/tclUtf.c changes between tcl versions.

tcl git branch core-8-6 commit 8e344ad3394e9f52ee250909dd2874b853a3c8e6 also crashes.

tcl git 9.0 cant be tested due to changed API.

michaelortmann commented 3 years ago

Here is some debug output captured in check_tcl_pubm() irc.c:934 with r = Tcl_SetVar(interp, "_pubm5", msg, 0); addresses are different from the backtrace above, new run + ASLR:

check_tcl_pubm(): chname     55b8f8ea96a8 23 74 65 73 74 36 38 38 38 
check_tcl_pubm(): msg        55b8f8e8863b f0 9f a5 b1 
check_tcl_pubm(): buf        7fffce65f780 23 74 65 73 74 36 38 38 38 20 f0 9f a5 b1 
check_tcl_pubm(): r          55b8f8e75ca0 f0 9f a5 b1 
check_tcl_pubm(): _pubm4     55b8f8e89150 23 74 65 73 74 36 38 38 38 
check_tcl_pubm(): _pubm5     55b8f8e75ca0 f0 9f a5 b1

So here we see addresses of char* pointers and contents _pubm4 and _pubm5 are results of Tcl_GetVar() to verify the correct Operation of Tcl_SetVar() so far it looks as expected.

Analyzing the crashdump shows, that our _pubm5 string is still allright, where Tcl_SetVar() did put it:

(gdb) x /8bx 0x55b8f8e75ca0
0x55b8f8e75ca0: 0xf0    0x9f    0xa5    0xb1    0x00    0x69    0x72    0x63

Here, we still see our input string as expected and its length as expected:

#18 0x00007f0343ea03c8 in TEBCresume (data=0x55b8f8e16368, interp=0x55b8f8dd7d60, result=0) at /home/michael/usr/src/tcl/generic/tclExecute.c:5537
        length = 4
        s1 = 0x55b8f8e75ca0 "🥱"

So lets take a look, what is happening around tclExecute.c:5537:

   5531     case INST_STR_LOWER:                                                         
   5532 ↹.......valuePtr = OBJ_AT_TOS;                                                   
   5533 ↹.......TRACE(("\"%.20s\" => ", O2S(valuePtr)));                                 
   5534 ↹.......if (Tcl_IsShared(valuePtr)) {                                            
   5535 ↹.......    s1 = TclGetStringFromObj(valuePtr, &length);                         
   5536 ↹.......    TclNewStringObj(objResultPtr, s1, length);                           
   5537 ↹.......    length = Tcl_UtfToLower(TclGetString(objResultPtr));

TclGetString(objResultPtr) should give a valid char*, for the prototype of int Tcl_UtfToLower(char *) But what do we have here: #17 0x00007f0343f286c2 in Tcl_UtfToLower (str=0x55b8f8e88350 At this point Tcl lost the grip on our input string, so whatever happens inside Tcl_UtfToLower(), it will happen with garbage data:

(gdb) x /16bx 0x55b8f8e88350
0x55b8f8e88350: 0xed    0xa0    0xbe    0xed    0xb5    0xb1    0xb5    0xb1
0x55b8f8e88358: 0xb5    0xb1    0xb5    0xb1    0xb5    0xb1    0xb5    0xb1

So i suspect TclNewStringObj() to cause the problem, but its not easy to "static analyze" for its a macro hell. i hope thommey can read that tcl code from what is analyzed here.

eggheads / eggdrop

tclhash causing crash #1163

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

1 0x00000008004516d4 in Tcl_UtfToLower () from /usr/local/lib/libtcl86.so.1

2 0x00000008003f635e in ?? () from /usr/local/lib/libtcl86.so.1

3 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

4 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

5 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

6 0x0000000000253c55 in trigger_bind (proc=0x8014b10a0 "arm::arm:pubm:binds", param=0x801478820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", mask=) at tclhash.c:748

7 0x0000000000253972 in check_tcl_bind (tl=0x800ccd830, match=0x7fffffff5670 "#USA \360\237\245\261", atr=0x7fffffff5e70, param=0x801478820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", match_type=562) at tclhash.c:891

8 0x0000000801490f3e in check_tclpubm (nick=0x7fffffff5c70 "Mystic", from=, chname=0x800cc6048 "#USA", msg=0x80242fe76 "\360\237\245\261") at .././irc.mod/irc.c:934

9 gotmsg (from=0x80242fe76 "\360\237\245\261", msg=0x80242fe76 "\360\237\245\261") at ./chan.c:2492

10 0x0000000801461881 in server_raw (cd=0x8014908b0 , irp=0x800d3b710, argc=, argv=) at .././server.mod/server.c:1301

11 0x000000080036bfd2 in ?? () from /usr/local/lib/libtcl86.so.1

12 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

13 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

14 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

15 0x0000000000253c55 in trigger_bind (proc=0x800d002e0 "*raw:irc:msg", param=0x80145985c " $_raw1 $_raw2 $_raw3", mask=) at tclhash.c:748

16 0x0000000000253972 in check_tcl_bind (tl=0x800ccd410, match=0x7fffffffc8b1 "PRIVMSG", atr=0x0, param=0x80145985c " $_raw1 $_raw2 $_raw3", match_type=161) at tclhash.c:891

17 0x000000080146dfbe in check_tclraw (from=0x7fffffffc881 "Mystic!~Android@bb121-6-125-170.singnet.com.sg", code=0x7fffffffc8b1 "PRIVMSG", msg=0x7fffffffc8b9 "#usa :\360\237\245\261") at ./servmsg.c:192

18 server_activity (idx=, tagmsg=, len=) at ./servmsg.c:1198

19 0x0000000000243a3e in mainloop (toplevel=1) at ./main.c:868

20 0x00000000002443fa in main (arg_c=, arg_v=) at ./main.c:1296

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

0 0x0000000800450a1b in Tcl_UtfToUniChar () from /usr/local/lib/libtcl86.so.1

1 0x00000008004516d4 in Tcl_UtfToLower () from /usr/local/lib/libtcl86.so.1

2 0x00000008003f635e in ?? () from /usr/local/lib/libtcl86.so.1

3 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

4 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

5 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

6 0x0000000000253c55 in trigger_bind (proc=0x8014ca0a0 "arm::arm:pubm:binds", param=0x80148c820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5", mask=) at tclhash.c:748

7 0x0000000000253972 in check_tcl_bind (tl=0x800ccd830, match=0x7fffffff5570 "#USA 😂", atr=0x7fffffff5d70, param=0x80148c820 " $_pubm1 $_pubm2 $_pubm3 $_pubm4 $_pubm5",

8 0x00000008014a4f3e in check_tcl_pubm (nick=0x7fffffff5b70 "cheshire", from=, chname=0x800ceb048 "#USA", msg=0x8015b6696 "😂") at .././irc.mod/irc.c:934

9 gotmsg (from=0x8015b6696 "😂", msg=0x8015b6696 "😂") at ./chan.c:2492

10 0x000000080146f881 in server_raw (cd=0x8014a48b0 , irp=0x800d57710, argc=, argv=) at .././server.mod/server.c:1301

11 0x000000080036bfd2 in ?? () from /usr/local/lib/libtcl86.so.1

12 0x0000000800367ee2 in Tcl_EvalObjv () from /usr/local/lib/libtcl86.so.1

13 0x000000080036986c in ?? () from /usr/local/lib/libtcl86.so.1

14 0x000000080036b7ac in Tcl_VarEval () from /usr/local/lib/libtcl86.so.1

15 0x0000000000253c55 in trigger_bind (proc=0x800d002e0 "*raw:irc:msg", param=0x80146785c " $_raw1 $_raw2 $_raw3", mask=) at tclhash.c:748

16 0x0000000000253972 in check_tcl_bind (tl=0x800ccd410, match=0x7fffffffc7aa "PRIVMSG", atr=0x0, param=0x80146785c " $_raw1 $_raw2 $_raw3", match_type=161) at tclhash.c:891

17 0x000000080147bfbe in check_tcl_raw (from=0x7fffffffc781 "cheshire!cheshire@time.2get.nawty.ugo.si", code=0x7fffffffc7aa "PRIVMSG", msg=0x7fffffffc7b2 "#usa :😂")

18 server_activity (idx=, tagmsg=, len=) at ./servmsg.c:1198

19 0x0000000000243a3e in mainloop (toplevel=1) at ./main.c:868

20 0x00000000002443fa in main (arg_c=, arg_v=) at ./main.c:1296