[clamav-users] [ext] Segfaults with database version 26908

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed May 17 16:50:47 UTC 2023 

Hi Mario, all,

Thank you for the extra info and the offer for help.

Last night I also received a backtrace and a sample that will reproduce the crash.
We should be able to figure out a fix for the bug from here.

Thanks again!

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Mario Yorck via clamav-users <clamav-users at lists.clamav.net>
Sent: Tuesday, May 16, 2023 11:55 PM
To: ClamAV users ML <clamav-users at lists.clamav.net>
Cc: Mario Yorck <marioyorck at gmail.com>
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Here are some information:

It crashes when specific files are scanned. However, but it is unlikely that the file contains the bad signature (but im not sure). I have a sample file, but with personal data that I cannot share. Yesterday I was able to reproduce the crash, but today I no longer have the version 26908. If you send me the version of yesterday and describe what you need, I can try to debug something.

Here is my test from yesterday with version 0.103.8 on gentoo:

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
Segmentation fault

# echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
clamav-0c216ef050250d78d59408a83f383ba1.tmp: OK

The LibClamAV Warnings also came when scanning other files, but other files was successfully scanned without any crash.

clamscan[26247]: segfault at 7fd6907960bf ip 00007fd5e36947a7 sp 00007ffe80983900 error 4 in libclamav.so.9.0.5[7fd5e3692000+116000] likely on CPU 0 (core 0, socket 0)

Hope this helps to find the problem.

PS: Thanks to my lifesaver Matthias for the tip about the whitelist yesterday.

Mario

Am Di., 16. Mai 2023 um 14:51 Uhr schrieb Matthias Rieber <matthias+clamav at zu-con.org<mailto:matthias%2Bclamav at zu-con.org>>:
Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d <ac_backward_match_branch+813>
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20230517/3f5a1fde/attachment.htm>

More information about the clamav-users mailing list