[clamav-users] 0.98.3, new segfault probably related to email parser
Stuart Henderson
stu-clamav-list at spacehopper.org
Mon May 12 14:50:07 UTC 2014
On 2014/05/12 14:57, Steve Basford wrote:
>
> On Mon, May 12, 2014 2:12 pm, Stuart Henderson wrote:
> > I'm running clamav on OpenBSD/amd64 5.5 (with various sanesecurity
> > hdb's, if that matters). Built from ports (with LLVM 3.3).
>
> Hi,
>
> Is is random or only on a certain email?
>
> Do have a full copy of the email shown in your log?
> If you do, does a clamdscan on the email cause a crash?
I've isolated a certain email which seems particularly likely to
trigger it, but it doesn't happen every time for that message.
>From the last few attempts running clamdscan in a loop, it
took approx 100, 10, 300, 130 attempts to hit the crash.
It also happens for clamscan (I removed all standard db's and
included only the single signature triggered by this mail so it
would start quickly).
I have only hit this crash if a signature is matched (i.e.
I haven't hit it if I remove phish.ndb).
Here's a backtrace from clamscan built with -O0, I can provide
message/sig to attempt to reproduce off-list.
(gdb) bt full
#0 0x000008617687540b in boundaryEnd (line=0x8616bbebd81 " ",
boundary=0x8616ad88b60 "----------9305594F5ADCAB39") at mbox.c:2273
len = 26
newline = 0x86169a74000 ""
p = 0x86169a74000 ""
p2 = 0x86169a73fff <Address 0x86169a73fff out of bounds>
#1 0x0000086176873baa in parseEmailBody (messageIn=0x861753cd980, textIn=0x0,
mctx=0x7f7ffffc31a0, recursion_level=0) at mbox.c:1494
line = 0x8616bbebd81 " "
lines = 4
m = (message **) 0x8616bbeb890
old_rc = FAIL
subtype = 5
htmltextPart = 0
inMimeHead = 0
mimeSubtype = 0x8616bbeb000 "mixed"
boundary = 0x8616ad88b60 "----------9305594F5ADCAB39"
aMessage = (message *) 0x86169a75080
mimeType = MULTIPART
inhead = 0
i = 0
t_line = (const text *) 0x8616bbeb270
multiparts = 0
messages = (message **) 0x8616bbeb890
rc = OK
aText = (text *) 0x0
mainMessage = (message *) 0x861753cd980
fb = (fileblob *) 0x0
infected = false
engine = (const struct cl_engine *) 0x8617164e800
doPhishingScan = 1
#2 0x0000086176871e35 in cli_parse_mbox (
dir=0x8616fe80d80 "/tmp//clamav-d32876238e1c0847f3ed68257ceb49c6.tmp",
ctx=0x7f7ffffc39e0) at mbox.c:508
retcode = 0
body = (message *) 0x861753cd980
buffer = "Return-Path: <>\n\000\000c6", '\0' <repeats 20 times>, "÷V.\230\215íÐI\000\000\000\000\000\000\000\000^\016èoa\b\000\000\2205üÿ\177\177\000\000\236dµva\b\000\000\002", '\0' <repeats 23 times>, "ÃñÖha\b", '\0' <repeats 14 times>, "a\b\000\000\000\000\000\000\000\000\000\000÷V.\230\215íÐI\000\000\000\000\000\000\000\000\200\rèoa\b\000\0002\000\000\000\000\000\000\000âdµva\b\000\000\002", '\0' <repeats 23 times>, "d¥Ùha\b", '\0' <repeats 290 times>, "ÿÿÿÿ\000\000\000\000p2üÿ\177\177\000\000±\rèoa\b\000\000"...
mctx = {
dir = 0x8616fe80d80 "/tmp//clamav-d32876238e1c0847f3ed68257ceb49c6.tmp",
rfc821Table = 0x8616ad986e0, subtypeTable = 0x8616ad88080,
ctx = 0x7f7ffffc39e0, files = 0}
at = 21404
map = (fmap_t *) 0x8616796b000
#3 0x0000086176871845 in cli_mbox (
dir=0x8616fe80d80 "/tmp//clamav-d32876238e1c0847f3ed68257ceb49c6.tmp",
ctx=0x7f7ffffc39e0) at mbox.c:309
No locals.
#4 0x0000086176866520 in cli_scanmail (ctx=0x7f7ffffc39e0) at scanners.c:1804
dir = 0x8616fe80d80 "/tmp//clamav-d32876238e1c0847f3ed68257ceb49c6.tmp"
ret = 2145
viruses_found = 0
#5 0x000008617686a49c in magic_scandesc (ctx=0x7f7ffffc39e0,
type=CL_TYPE_MAIL) at scanners.c:2697
ret = 0
dettype = CL_TYPE_ANY
typercg = 1 '\001'
current_container_type = CL_TYPE_ANY
current_container_size = 0
hashed_size = 21404
hash = "uÒ\000\000Qÿ·/\005|ÝÅgB§Æ"
old_hook_lsig_matches = (bitset_t *) 0x8616bbeb780
filetype = 0x86176b1bf94 "CL_TYPE_MAIL"
cache_clean = 0
res = 1
#6 0x000008617686c178 in cli_base_scandesc (desc=3, ctx=0x7f7ffffc39e0,
type=CL_TYPE_ANY) at scanners.c:3007
sb = {st_mode = 33184, st_dev = 9985, st_ino = 45975, st_nlink = 1,
st_uid = 1000, st_gid = 0, st_rdev = -1, st_atim = {tv_sec = 1399905336,
tv_nsec = 495715245}, st_mtim = {tv_sec = 1399904591, tv_nsec = 62550638},
st_ctim = {tv_sec = 1399904591, tv_nsec = 62555667}, st_size = 21404,
st_blocks = 48, st_blksize = 4096, st_flags = 0, st_gen = 0,
__st_birthtim = {tv_sec = 0, tv_nsec = 0}}
ret = 32639
#7 0x000008617686c1fa in cli_magic_scandesc (desc=3, ctx=0x7f7ffffc39e0)
at scanners.c:3016
No locals.
#8 0x000008617686cbf6 in scan_common (desc=3, map=0x0,
virname=0x7f7ffffc3c58, scanned=0x85f672275d8, engine=0x8617164e800,
---Type <return> to continue, or q <return> to quit---
scanoptions=4219447, context=0x7f7ffffc3c30) at scanners.c:3233
ctx = {virname = 0x7f7ffffc3c58, num_viruses = 0, size_viruses = 0,
scanned = 0x85f672275d8, root = 0x0, engine = 0x8617164e800,
scansize = 21404, options = 4219447, recursion = 1, scannedfiles = 1,
found_possibly_unwanted = 0, corrupted_input = 0, img_validate = 0,
container_type = CL_TYPE_MAIL, container_size = 21404,
handlertype_hash = '\0' <repeats 15 times>, dconf = 0x8616f0fe3b8,
fmap = 0x86169502b08, hook_lsig_matches = 0x8616bbebe70,
cb_ctx = 0x7f7ffffc3c30, perf = 0x0}
rc = 0
sb = {st_mode = 33184, st_dev = 9985, st_ino = 45975, st_nlink = 1,
st_uid = 1000, st_gid = 0, st_rdev = -1, st_atim = {tv_sec = 1399905336,
tv_nsec = 495715245}, st_mtim = {tv_sec = 1399904591, tv_nsec = 62550638},
st_ctim = {tv_sec = 1399904591, tv_nsec = 62555667}, st_size = 21404,
st_blocks = 48, st_blksize = 4096, st_flags = 0, st_gen = 0,
__st_birthtim = {tv_sec = 0, tv_nsec = 0}}
#9 0x000008617686cd10 in cl_scandesc_callback (desc=3,
virname=0x7f7ffffc3c58, scanned=0x85f672275d8, engine=0x8617164e800,
scanoptions=4219447, context=0x7f7ffffc3c30) at scanners.c:3252
No locals.
#10 0x0000085f66e123ad in scanfile (filename=0x8616bbebdd0 "test",
engine=0x8617164e800, opts=0x8616afdcc80, options=4219447) at manager.c:303
ret = 0
fd = 3
included = 2145
i = 1895541136
opt = (const struct optstruct *) 0x8616afdc480
virname = 0x86170fba120 ""
virpp = (const char **) 0x7f7ffffc3c58
sb = {st_mode = 33184, st_dev = 9985, st_ino = 45975, st_nlink = 1,
st_uid = 1000, st_gid = 0, st_rdev = -1, st_atim = {tv_sec = 1399905336,
tv_nsec = 495715245}, st_mtim = {tv_sec = 1399904591, tv_nsec = 62550638},
st_ctim = {tv_sec = 1399904591, tv_nsec = 62555667}, st_size = 21404,
st_blocks = 48, st_blksize = 4096, st_flags = 0, st_gen = 0,
__st_birthtim = {tv_sec = 0, tv_nsec = 0}}
chain = {chains = 0x0, lastadd = 0, lastvir = 0, level = 0, n = 0}
#11 0x0000085f66e14c23 in scanmanager (opts=0x8616afdcc80) at manager.c:1005
ret = 0
i = 3
options = 4219447
dboptions = 8202
dirlnk = 1
filelnk = 1
engine = (struct cl_engine *) 0x8617164e800
sb = {st_mode = 33184, st_dev = 9985, st_ino = 45975, st_nlink = 1,
st_uid = 1000, st_gid = 0, st_rdev = -1, st_atim = {tv_sec = 1399905336,
tv_nsec = 495715245}, st_mtim = {tv_sec = 1399904591, tv_nsec = 62550638},
st_ctim = {tv_sec = 1399904591, tv_nsec = 62555667}, st_size = 21404,
st_blocks = 48, st_blksize = 4096, st_flags = 0, st_gen = 0,
__st_birthtim = {tv_sec = 0, tv_nsec = 0}}
file = 0x8616bbebdd0 "test"
cwd = "h£ûpa\b\000\000ð£\232ta\b\000\000h08qa\b\000\000\000\000\000\000\000\000\000\000Çd¡\a\000\000\000\0000\000\000\000\000\000\000\000h£ûpa\b\000\000ð£\232ta\b\000\000\177A at pa\b\000\000Ø>üÿ\177\177\000\000h£ûpa\b\000\000Ø>üÿ\177\177\000\000à>üÿ\177\177\000\000\000\000\000\000\000\000\000\0000?üÿ\177\177\000\000Xç¼ra\b\000\000h08qa\b", '\0' <repeats 11 times>, "@üÿ\177\177\000\000 Û[ta\b\000\000h£ûpa\b\000\000ð£\232ta\b\000\0000?üÿ\177\177\000\000f\037Ôra\b\000\000\000@üÿ\177\177\000\000 "...
pua_cats = 0x0
filename = 0x8616bbebc10 "test"
opt = (const struct optstruct *) 0x861753cde00
rlim = {rlim_cur = 9223372036854775807, rlim_max = 9223372036854775807}
#12 0x0000085f66e10e4c in main (argc=2, argv=0x7f7ffffc43d8) at clamscan.c:166
ds = 0
dms = 2
ret = 32639
mb = 6.9261942496159218e-310
rmb = 6.9261942496182933e-310
t1 = {tv_sec = 1399905336, tv_usec = 624304}
t2 = {tv_sec = 9212704849920, tv_usec = 0}
sigset = 16777216
opts = (struct optstruct *) 0x8616afdcc80
opt = (const struct optstruct *) 0x86175d39a80
More information about the clamav-users
mailing list