Summary: | ClamD killed (PAX related) after DB updates (clamav-0.96.1) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | lou <whitehatcheck> |
Component: | Current packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alunduil, antivirus, ap, atoth, bug, chainsaw, csamsel, droid, dschridde+gentoobugs, gengor, genzilla, idl0r, jonnykent, larstobi, net-mail+disabled, paluszak, subscryer, toffanin.mauro |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
URL: | https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 333337 | ||
Bug Blocks: |
Description
lou
2010-06-29 18:53:47 UTC
paxctl -m /usr/sbin/clamd help here (In reply to comment #1) > paxctl -m /usr/sbin/clamd help here That didn't work for me. I disabled PAGEEXEC, MPROTECT, RANDEXEC and EMUTRAMP on my boxes, and it continued to crash. Apparently it was related to attachments with bytecode only.. so you may not be seeing that in the moment. I guess you can send thumbs.db and you might be able to force a crash at that time. The suggested workaround at the moment, is to disable bytecode checking by adding 'Bytecode off' to freshclam.conf. Some good info here: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092 > > paxctl -m /usr/sbin/clamd help here
paxctl -m actually helped in my case. Of course, you have to run it on every executable you use, if you run clamscan run it on clamscan executable and so on.
*** Bug 329323 has been marked as a duplicate of this bug. *** for kernel 2.6.32-hardened-r9 with grsec, pax and clamav-0.96.1 Tried all the paxctl work-arounds but none worked, however Bytecode no in freshclam.conf plus deleting /var/lib/clamav/bytecode.cvd worked for me (Bytecode off gave 'ERROR: Incorrect argument format for option Bytecode'). Seems to be fixed in 0.96.2 so I'll add the version bump request as dependency. I'm not sure if should i open new bug. On hardened profile, freshclam can't use JIT (and bytecode), throws: [...] Downloading daily-12394.cdiff [100%] daily.cld updated (version: 12394, sigs: 11180, f-level: 58, builder: arnaud) Downloading bytecode-94.cdiff [100%] Downloading bytecode-95.cdiff [100%] [LibClamAV] Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted The same with clamd: LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Yes, i can run paxctl on libclamav lib but i wonder maybe should it be done by ebuild? (In reply to comment #7) > I'm not sure if should i open new bug. On hardened profile, freshclam can't use > JIT (and bytecode), throws: > [...] > Downloading daily-12394.cdiff [100%] > daily.cld updated (version: 12394, sigs: 11180, f-level: 58, builder: arnaud) > Downloading bytecode-94.cdiff [100%] > Downloading bytecode-95.cdiff [100%] > [LibClamAV] Bytecode: disabling JIT because PaX is preventing 'mprotect' > access. > Run 'paxctl -cm <executable>' > ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't > allocate RWX Memory: Operation not permitted > > The same with clamd: > LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not > permitted > LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' > access. > > Yes, i can run paxctl on libclamav lib but i wonder maybe should it be done by > ebuild? > For the current clamav it is the expected behavior. If you don't remove mprotect, clamav detects it and disables JIT features. You have the choice. > For the current clamav it is the expected behavior. If you don't remove
> mprotect, clamav detects it and disables JIT features. You have the choice.
I prefer choosing using USE flags, for example USE="SECURITY_HAZARD". If i enable mprotect manually, i've got to remember to do it next time and $(equery k clamav) shows incorrect MD5sum for liblcamav. But if there are good reason to don't do it with USE flag, i can live with it ;)
(It would be nice to have possibility to create own "post_install action" for choosen package)
(In reply to comment #9) > > For the current clamav it is the expected behavior. If you don't remove > > mprotect, clamav detects it and disables JIT features. You have the choice. > > I prefer choosing using USE flags, for example USE="SECURITY_HAZARD". If i > enable mprotect manually, i've got to remember to do it next time and $(equery > k clamav) shows incorrect MD5sum for liblcamav. But if there are good reason to > don't do it with USE flag, i can live with it ;) > (It would be nice to have possibility to create own "post_install action" for > choosen package) > I'm not a developer. I've heard some rumors about a jit USE flag. You may pay a visit to the hardened Gentoo IRC channel... * Starting clamd ... LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' [ ok ] * Starting freshclam ... [ ok ] I started getting this warning with 0.96.5, setting "Bytecode no" in freshclam.conf of course helped get rid of that warning.
> LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect'
You can disable JIT bytecode by setting
Bytecode no
in /etc/clamd.conf. It will remove the error message and clamav will continue working fine.
(In reply to comment #12) > > LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' > > You can disable JIT bytecode by setting > > Bytecode no > > in /etc/clamd.conf. It will remove the error message and clamav will continue > working fine. > Okay ignore that comment, it is misleading. We *want* bytecode because it allows for more sophisticated detection. We just don't want to interpret the bytecode via JIT, rather than the old way via an interpreter. As of clamav-0.96.5, clamd detects whether the system is able to allocate an RWX page (line 156 of libclamav/c++/detect.cpp) by simply trying to do so. If it fails, then it simply displays the warning message "RWX mapping denied: ..." (line 158), and it fails to set a bitfield in env->os_features (line 160) which is later used in libclamav/bytecode.c to revert to CL_BYTECODE_MODE_INTERPRETER (line 2446) rather than JIT. This code is called only once upon startup when cli_detect_environment() is run and so the error message is seen only once. I don't really see any problem here as of version 0.96.5. *** Bug 458268 has been marked as a duplicate of this bug. *** Does anyone know if this is still a problem? -- just asking since that version has long been removed from the tree (oldest version in the tree is 0.98 at the moment) (In reply to Thomas Raschbacher from comment #15) > Does anyone know if this is still a problem? -- just asking since that > version has long been removed from the tree (oldest version in the tree is > 0.98 at the moment) On my systems clamav currently correctly detects whether mprotect is enabled or not and acts accordingly. I think this problem has been solved. Although it would be good to hear the same from another hardened user. I can confirm it's been working correctly for a long time now. I can concur as well as note that the version of clamav under question is no longer in the tree. Marking this as fixed if I don't hear anything by Sept 20. |