Mailing List Archive

* Matthias Rieber <matthias+clamav@zu-con.org>:
> Hello List,
>
> since the update to version 26908 we observe a high amount of segfaults.

Same here.

> As far as I can tell this happens in
>
> 0x7fdfd44c377d <ac_backward_match_branch+813>
>
> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>
> Has anyone seen this, too?

I've seen this with 1.1.0-1 as well. Maybe they're related to the
"pattern issue" I posted a while ago

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Tue, 2023-05-16 at 12:08 +0200, Ralf Hildebrandt via clamav-users
wrote:
>
> >
> > Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago
>

Me three.

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d <ac_backward_match_branch+813>
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Same here......same version, but compiled from source directly......and
the same strange message when clamd is restarted:

Starting clamd daemon: LibClamAV Warning: Don't know how to create
filter for: Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie

Best Regards,

Claudio Cuqui

On 5/16/23 07:02, Matthias Rieber wrote:
> Hello List,
>
> since the update to version 26908 we observe a high amount of segfaults.
>
> As far as I can tell this happens in
>
> 0x7fdfd44c377d <ac_backward_match_branch+813>
>
> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>
> Has anyone seen this, too?
>
> Best regards,
> Matthias
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Hi All,
I have joined this list just know after see the reported issue
Clamd service keep crashing with the following error code
clamsmtp-clamd.service: main process exited, code=killed, status=11/SEGV
Kernel logs (dmesg) shows :
clamd[4053]: segfault at 7f081a3530bf ip 00007f0719f42960 sp 00007f06b5d12980 error 4 in libclamav.so.9.0.5[7f0719f04000+1e9000]

As per the above thread , we have tried to do the following , after this service is working fine.
$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2Would like to understand , how did you find this is the issue ?

RegardsSeena
On May 17 2023, at 12:22 am, Claudio Cuqui <claudio@c3systems.com.br> wrote:

Same here......same version, but compiled from source directly......and the same strange message when clamd is restarted:

Starting clamd daemon: LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie

Best Regards,

Claudio Cuqui
On 5/16/23 07:02, Matthias Rieber wrote:

Hello List,

since the update to version 26908 we observe a high amount of segfaults.

As far as I can tell this happens in

0x7fdfd44c377d <ac_backward_match_branch+813>

We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.

Has anyone seen this, too?

Best regards,
Matthias
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users"]https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation"]https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat"]https://docs.clamav.net/#mailing-lists-and-chat

Based on these reports we've started a take-back of the signature, so it
will be dropped in the next daily CVD publish. We'll also analyze to see
why this signature is triggering that behavior on some platforms.

Dave R.

On Tue, May 16, 2023 at 2:53?PM Claudio Cuqui <claudio@c3systems.com.br>
wrote:

> Same here......same version, but compiled from source directly......and
> the same strange message when clamd is restarted:
>
> Starting clamd daemon: LibClamAV Warning: Don't know how to create filter
> for: Win.Downloader.LNKAgent-10001628-0
> LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
>
> Best Regards,
>
> Claudio Cuqui
> On 5/16/23 07:02, Matthias Rieber wrote:
>
> Hello List,
>
> since the update to version 26908 we observe a high amount of segfaults.
>
> As far as I can tell this happens in
>
> 0x7fdfd44c377d <ac_backward_match_branch+813>
>
> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>
> Has anyone seen this, too?
>
> Best regards,
> Matthias
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>


--
---
Dave Raynor
Talos Security Intelligence and Research Group
draynor@sourcefire.com

Citeren David Raynor <draynor@sourcefire.com>:

> Based on these reports we've started a take-back of the signature, so it
> will be dropped in the next daily CVD publish. We'll also analyze to see
> why this signature is triggering that behavior on some platforms.

Here freshclam (1.1.0) does complain about this signature, but so far
no crashes/segfaults.

May 16 09:35:35 mail systemd[1]: Starting Clam AntiVirus database updater...
May 16 09:35:35 mail freshclam[26095]: ClamAV update process started
at Tue May 16 09:35:35 2023
May 16 09:35:35 mail freshclam[26095]: daily database available for
update (local version: 26907, remote version: 26908)
May 16 09:35:37 mail freshclam[26095]: WARNING: ******* RESULT 200,
SIZE: 7213 *******
May 16 09:35:38 mail freshclam[26095]: Testing database:
'/var/lib/clamav/tmp.32a46b71ab/clamav-0ccde10ac58d6d6c5dd79c0318b41381.tmp-daily.cld'
...
May 16 09:35:43 mail freshclam[26097]: [LibClamAV] Don't know how to
create filter for: Win.Downloader.LNKAgent-10001628-0
May 16 09:35:43 mail freshclam[26097]: [LibClamAV] cli_ac_addsig:
cannot use filter for trie
May 16 09:35:47 mail freshclam[26095]: Database test passed.
May 16 09:35:49 mail freshclam[26095]: daily.cld updated (version:
26908, sigs: 2034816, f-level: 90, builder: raynman)
May 16 09:35:49 mail freshclam[26095]: main.cvd database is up-to-date
(version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
May 16 09:35:49 mail freshclam[26095]: bytecode.cvd database is
up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
May 16 09:35:49 mail clamd[934]: SelfCheck: Database modification
detected. Forcing reload.
May 16 09:35:49 mail clamd[934]: Reading databases from /var/lib/clamav
May 16 09:35:49 mail freshclam[26095]: Clamd successfully notified
about the update.
May 16 09:35:49 mail systemd[1]: freshclam.service: Deactivated successfully.
May 16 09:35:49 mail systemd[1]: Finished Clam AntiVirus database updater.
May 16 09:35:49 mail systemd[1]: freshclam.service: Consumed 10.503s CPU time.
May 16 09:36:17 mail clamd[934]: Database correctly reloaded (8666724
signatures)
May 16 09:36:17 mail clamd[934]: Activating the newly loaded database...

Maybe relevant, freshclam runs through a systemd.timer (so it is never
daemonized).


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

All,

For those who experience the crashes - is this happening when scanning any specific files with this signature in the database? If so, can you please share that with me directly?

I see the same warning, but I haven't observed any crashes yet. I will continue to debug and try to figure out what may cause a crash.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Matthias Rieber <matthias+clamav@zu-con.org>
Sent: Tuesday, May 16, 2023 5:50 AM
To: Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d <ac_backward_match_branch+813>
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

The daily database has been updated to drop the offending signature.

We're still investigating to understand what may cause a crash. I was able to see in https://github.com/Cisco-Talos/clamav/issues/923 that the crash may occur at database load time, and not during a scan. So that is a relief.

But we of course still want to find and fix the bug. If anyone has any additional leads or a backtrace / call stack from GDB that would be very helpful.

Thanks all,

Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, May 16, 2023 1:09 PM
To: Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Cc: Micah Snyder (micasnyd) <micasnyd@cisco.com>
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

All,

For those who experience the crashes - is this happening when scanning any specific files with this signature in the database? If so, can you please share that with me directly?

I see the same warning, but I haven't observed any crashes yet. I will continue to debug and try to figure out what may cause a crash.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Matthias Rieber <matthias+clamav@zu-con.org>
Sent: Tuesday, May 16, 2023 5:50 AM
To: Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d <ac_backward_match_branch+813>
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Here are some information:

It crashes when specific files are scanned. However, but it is unlikely
that the file contains the bad signature (but im not sure). I have a sample
file, but with personal data that I cannot share. Yesterday I was able to
reproduce the crash, but today I no longer have the version 26908. If you
send me the version of yesterday and describe what you need, I can try to
debug something.

Here is my test from yesterday with version 0.103.8 on gentoo:

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
LibClamAV Warning: Don't know how to create filter for:
Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
Segmentation fault

# echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
clamav-0c216ef050250d78d59408a83f383ba1.tmp: OK

The LibClamAV Warnings also came when scanning other files, but other files
was successfully scanned without any crash.

clamscan[26247]: segfault at 7fd6907960bf ip 00007fd5e36947a7 sp
00007ffe80983900 error 4 in libclamav.so.9.0.5[7fd5e3692000+116000] likely
on CPU 0 (core 0, socket 0)

Hope this helps to find the problem.

PS: Thanks to my lifesaver Matthias for the tip about the whitelist
yesterday.

Mario

Am Di., 16. Mai 2023 um 14:51 Uhr schrieb Matthias Rieber <
matthias+clamav@zu-con.org>:

> Hello,
>
> On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:
>
> >> As far as I can tell this happens in
> >>
> >> 0x7fdfd44c377d <ac_backward_match_branch+813>
> >>
> >> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
> >>
> >> Has anyone seen this, too?
> >
> > I've seen this with 1.1.0-1 as well. Maybe they're related to the
> > "pattern issue" I posted a while ago
>
> yes, it turns out that you can mitigate this issue when you whitelist
> this signature:
>
> $ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2
>
> Regards,
> Matthias
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

Hi Mario, all,

Thank you for the extra info and the offer for help.

Last night I also received a backtrace and a sample that will reproduce the crash.
We should be able to figure out a fix for the bug from here.

Thanks again!

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Mario Yorck via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, May 16, 2023 11:55 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Mario Yorck <marioyorck@gmail.com>
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Here are some information:

It crashes when specific files are scanned. However, but it is unlikely that the file contains the bad signature (but im not sure). I have a sample file, but with personal data that I cannot share. Yesterday I was able to reproduce the crash, but today I no longer have the version 26908. If you send me the version of yesterday and describe what you need, I can try to debug something.

Here is my test from yesterday with version 0.103.8 on gentoo:

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
Segmentation fault

# echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
clamav-0c216ef050250d78d59408a83f383ba1.tmp: OK

The LibClamAV Warnings also came when scanning other files, but other files was successfully scanned without any crash.

clamscan[26247]: segfault at 7fd6907960bf ip 00007fd5e36947a7 sp 00007ffe80983900 error 4 in libclamav.so.9.0.5[7fd5e3692000+116000] likely on CPU 0 (core 0, socket 0)

Hope this helps to find the problem.

PS: Thanks to my lifesaver Matthias for the tip about the whitelist yesterday.

Mario

Am Di., 16. Mai 2023 um 14:51 Uhr schrieb Matthias Rieber <matthias+clamav@zu-con.org<mailto:matthias%2Bclamav@zu-con.org>>:
Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d <ac_backward_match_branch+813>
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat