Ged,
This may be an excellent observation. I also see that you’re using libpcre instead of libpcre2. Libcpre and libcpre2 versions earlier than 10.30 use recursive function calls for backtracking.
From the release notes (https://www.pcre.org/changelog.txt):
Ø
1. The main interpreter, pcre2_match(), has been refactored into a new version
Ø
that does not use recursive function calls (and therefore the stack) for
Ø
remembering backtracking positions. This makes --disable-stack-for-recursion a
Ø
NOOP. The new implementation allows backtracking into recursive group calls in
Ø
patterns, making it more compatible with Perl, and also fixes some other
Ø
hard-to-do issues such as #1887 in Bugzilla. The code is also cleaner because
Ø
the old code had a number of fudges to try to reduce stack usage. It seems to
Ø
run no slower than the old code.
We’ve observed crashes in specific files due when using regex/pcre signatures as a result of stack exhaustion and updating to a modern version of libcpre2 resolves it. I have a suspicion it may resolve the issue for you as well.
If you installed from homebrew though, perhaps the homebrew package needs to be updated to use pcre2 instead of pcre.
CC’ing the clamav-binary mailing list for other package maintainers.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
From:
clamav-users <clamav-users-bounces@lists.clamav.net>
Date: Friday, May 1, 2020 at 5:21 AM
To: James Brown via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
Hi there,
On Fri, 1 May 2020, James Brown via clamav-users wrote:
> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
> ...
> --> STACK GUARD 0000700000a1c000-0000700000a1d000 [ 4K] ---/rwx SM=NUL stack guard for thread 2
> Stack 0000700000a1d000-0000700000b1f000 [ 1032K] rw-/rwx SM=COW thread 2
> ...
> Thread 2 Crashed:
> 0 libpcre.0.dylib 0x00007fff6e41eae6 0x7fff6e40a000 + 84710
> ...
I'm unfamiliar with some of the tools that you're using but many here
can relate their experiences of the outstandingly good stability of
clamd under what I'll call normal circumstances. Some of us have even
pushed the envelope a little with no stability issues at all.
Unfortunately I have no experience of anything on a Mac that's under
20 years old so you'll need to treat my guesses with caution, but it
looks like a PCRE library is bashing the stack there. It's the sort
of thing that a dodgy PCRE library might easily be expected to do.
Where did it come from? This is the library I'm using on a Raspberry
Pi4b, old but not very old by the standards of the distribution:
$ pldd `pidof clamd` | grep libpcre | xargs ls -lL
-rw-r--r-- 1 root root 485200 Mar 25 2019 /usr/lib/arm-linux-gnueabihf/libpcre2-8.so.0
I looked at
https://www.apple.com/uk/macos/catalina/
and it gave me the impression that the OS is "for entertainment only"
but I guess I'm just an old grouch.
> I use a number of the third party sigs, securite.info, sanesecurity,
> Malware Patrol, etc. Updating those or running Freshclam does not
> crash clamd.
Do the clamd crashes happen at particular times, such as when clamd is
reloading its databases, or is it while scanning?
> Any ideas what could be causing this?
It's probably easier to say what it's likely not to be. :( My guess is
that it's likely not to be a fault in clamd itself, but in something in
your OS to which clamd is linking, but I think there's less testing of
ClamAV on Macs generally than on e.g. Linux, so anything's possible.
How much RAM is in the machine? You'll need at least 2G free before
starting clamd and freshclam, likely more with many 3rd party sigs.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml