[Clamav-users] SIGILL crash with 0.86.2 reading flash file

Fri, 29 Jul 2005 14:11:27 -0700 

All,
Around clamav version 0.84, I noticed clamav would crash or hang when processing a particular zip file. One one system, clamd runs up to 99% CPU and spins indefinitely (FreeBSD 4.8). On another (FreeBSD 4.10), it crashes with a signal 4 (illegal instruction). I isolated the problem to a .fla file (Macromedia Flash source) in the zip. The behavior is NOT seen with straight clamscan. This only happens if clamd is asked to scan the file via clamdscan. A workaround was to use clamscan instead of clamdscan on the mail server (ouch!). Eventually I got the time to upgrade to the latest "stable" version (0.86.2) and test it out - the problem is still there. 


I rebuilt clamd with debugging symbols and ran it under gdb with Debug 
and Foreground in the config file (otherwise defaults are used).  When 
scanning the file, I got these results (log trimmed somewhat to get 
under the 40k posting limit of the list):



Starting program: 
/usr/ports/security/clamav/work/clamav-0.86.2/clamd/.libs/lt-clamd

LibClamAV debug: Loading databases from /var/db/clamav
[[snip virus database loading - all looks normal]]
LibClamAV debug: set stacksize to 262144
LibClamAV debug: Calculated MD5 checksum: 7502549f16535f43ff8a0f0bf3d26d66
LibClamAV debug: Calculated MD5 checksum: 344a248d0562ed6cfb51709126a90a5b
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug: mmap'ed file
LibClamAV debug:

Magic:                  0xLibClamAV debug: d0LibClamAV debug: 
cfLibClamAV debug: 11LibClamAV debug: e0LibClamAV debug: a1LibClamAV 
debug: b1LibClamAV debug: 1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID:                 {LibClamAV debug: 0 LibClamAV 
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV 
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 
LibClamAV debug: 0LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 
0 LibClamAV debug: }

LibClamAV debug: Minor version:         0x3e
LibClamAV debug: DLL version:           0x3
LibClamAV debug: Byte Order:            -2
LibClamAV debug: Big Block Size:                9
LibClamAV debug: Small Block Size:      6
LibClamAV debug: BAT count:             17
LibClamAV debug: Prop start:            2
LibClamAV debug: SBAT cutoff:           4096
LibClamAV debug: SBat start:            1429
LibClamAV debug: SBat block count:      10
LibClamAV debug: XBat start:            -2
LibClamAV debug: XBat block count:      0


LibClamAV debug:                         Root Entry LibClamAV debug:  
[root] LibClamAV debug:  r LibClamAV debug:  78272 0
LibClamAV debug:                         Symbol 179 LibClamAV debug:  
[file] LibClamAV debug:  b LibClamAV debug:  4327 0



[[repeats 102 times from "Symbol 175" down to "Symbol 60", various 
"debug: " values]]



LibClamAV debug:                          Symbol 59 LibClamAV debug:  
[file] LibClamAV debug:  b LibClamAV debug:  1119 0


Program received signal SIGSEGV, Segmentation fault.
0x28184c91 in vfprintf () from /usr/lib/libc_r.so.4
(gdb) bt
#0  0x28184c91 in vfprintf () from /usr/lib/libc_r.so.4
#1  0x281434cb in vsnprintf () from /usr/lib/libc_r.so.4
#2  0x28078fbb in cli_dbgmsg (str=0x280ae460 "%34s ") at others.c:122

#3  0x2808f85f in print_property_name (pname=0xbfaef42c "S", size=20) at 
ole2_extract.c:186
#4  0x2808f8b6 in print_ole2_property (property=0xbfaef42c) at 
ole2_extract.c:197
#5  0x280901c5 in ole2_walk_property_tree (fd=11, hdr=0xbfafe65c, 
dir=0x8a19c80 "/var/tmp//clamav-999410477b346e70", prop_index=66,
   handler=0x28090504 <handler_writefile>, rec_level=1, 
file_count=0xbfafe5f8, limits=0xbfbff8c4) at ole2_extract.c:509
#6  0x2809032c in ole2_walk_property_tree (fd=11, hdr=0xbfafe65c, 
dir=0x8a19c80 "/var/tmp//clamav-999410477b346e70", prop_index=67,
   handler=0x28090504 <handler_writefile>, rec_level=1, 
file_count=0xbfafe5f8, limits=0xbfbff8c4) at ole2_extract.c:536



[[repeats 110 times from "prop_index=68" to "prop_index=173", other 
parameters identical.]]



#108 0x2809032c in ole2_walk_property_tree (fd=11, hdr=0xbfafe65c, 
dir=0x8a19c80 "/var/tmp//clamav-999410477b346e70", prop_index=177,
   handler=0x28090504 <handler_writefile>, rec_level=1, 
file_count=0xbfafe5f8, limits=0xbfbff8c4) at ole2_extract.c:536
#109 0x2809037c in ole2_walk_property_tree (fd=11, hdr=0xbfafe65c, 
dir=0x8a19c80 "/var/tmp//clamav-999410477b346e70", prop_index=0,
   handler=0x28090504 <handler_writefile>, rec_level=0, 
file_count=0xbfafe5f8, limits=0xbfbff8c4) at ole2_extract.c:540
#110 0x28090c8a in cli_ole2_extract (fd=11, dirname=0x8a19c80 
"/var/tmp//clamav-999410477b346e70", limits=0xbfbff8c4) at 
ole2_extract.c:826
#111 0x28080050 in cli_scanole2 (desc=11, virname=0xbfafea78, 
scanned=0x0, root=0x80711c0, limits=0xbfbff8c4, options=111, arec=1, mrec=0)

   at scanners.c:1142

#112 0x28080aa7 in cli_magic_scandesc (desc=11, virname=0xbfafea78, 
scanned=0x0, root=0x80711c0, limits=0xbfbff8c4, options=111, arec=0,

   mrec=0) at scanners.c:1454

#113 0x28080e36 in cl_scandesc (desc=11, virname=0xbfafea78, 
scanned=0x0, root=0x80711c0, limits=0xbfbff8c4, options=111) at 
scanners.c:1563
#114 0x28080eec in cl_scanfile (filename=0xbfafeb31 
"/raid/home/brian/home_top_.fla", virname=0xbfafea78, scanned=0x0, 
root=0x80711c0,

   limits=0xbfbff8c4, options=111) at scanners.c:1589

#115 0x804eefd in scan (filename=0xbfafeb31 
"/raid/home/brian/home_top_.fla", scanned=0x0, root=0x80711c0, 
limits=0xbfbff8c4, options=111,

   copt=0x8054380, odesc=10, contscan=1) at scanner.c:235

#116 0x804d37a in command (desc=10, root=0x80711c0, limits=0xbfbff8c4, 
options=111, copt=0x8054380, timeout=120) at session.c:105

#117 0x804db03 in scanner_thread (arg=0x89c8120) at server-th.c:87
#118 0x804d941 in thrmgr_worker (arg=0x8a19b40) at thrmgr.c:199
#119 0x28119240 in _thread_start () from /usr/lib/libc_r.so.4
#120 0x0 in ?? ()
(gdb) c
Continuing.

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

(gdb)    

I really don't know enough about OLE2 to figure out if this is a broken 
file or not, but in any case, I don't think that clamd should be 
SIGILLing over it...  :)  The SIGSEGV and SIGILL seem to indicate the 
stack took some damage along the way.  The behavior without Debug in the 
configuration is similar - only the last four frames are different:


#0  0x28184c91 in vfprintf () from /usr/lib/libc_r.so.4
#1  0x281766fa in sprintf () from /usr/lib/libc_r.so.4

#2  0x28090639 in handler_writefile (fd=11, hdr=0xbfafe65c, 
prop=0xbfaef42c, dir=0x8a19c80 "/var/tmp//clamav-013846afefb49caa")

   at ole2_extract.c:616

#3  0x280902df in ole2_walk_property_tree (fd=11, hdr=0xbfafe65c, 
dir=0x8a19c80 "/var/tmp//clamav-013846afefb49caa", prop_index=66,
   handler=0x28090504 <handler_writefile>, rec_level=1, 
file_count=0xbfafe5f8, limits=0xbfbff8c4) at ole2_extract.c:528



I can provide the .fla file to developers who may work on the issue (or 
help me work on it) but it's client data so I can't post it publicly.


Thanks!
Brian

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html






















					Reply via email to