I am experiencing exactly the same problem with the same configuration.

Portage 2.1.6.13 (hardened/linux/amd64/2008.0, gcc-3.4.6, glibc-2.8_p20080602-r1, 2.6.24-hardened-r3 x86_64)
=================================================================
System uname: Linux-2.6.24-hardened-r3-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-glibc2.3.2

Comment 2 Eray Aslan 2009-07-03 10:22:15 UTC

Are you using any 3rd party signatures which are downloaded not via freshclam?  If yes, check for race conditions in you download script.

No, I am not using any 3rd party signatures. Is there a chance that this is an x86_64 specific issue? I have another server with almost identical setup but different hardware which seems to be unaffected:

Portage 2.1.6.13 (hardened/linux/x86/2008.0, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r7 i686)
=================================================================
System uname: Linux-2.6.28-hardened-r7-i686-Intel-R-_Pentium-R-_4_CPU_3.00GHz-with-glibc2.3.2

Comment 4 Eray Aslan 2009-07-03 15:28:02 UTC

(In reply to comment #3)
>Is there a chance that this is an x86_64 specific issue?

Maybe.  Maybe some interaction of x86_64 with hardened profile.  Or maybe something else entirely.  Unfortunately, there is not much to go on in this bug report. I suggest you get a backtrace when clamav segfaults with strace/ltrace/gdb and then we follow up from there.

Same problem here, amd64 as well:

Jul  7 08:48:38 io PAX: From *.*.*.*: execution attempt in: <NULL>, 00000000-00000000 00000000
Jul  7 08:48:38 io PAX: terminating task: /usr/sbin/clamd(clamd):16467, uid/euid: 102/102, PC: 0000000000000000, SP: 00006b4cb288d8e0
Jul  7 08:48:38 io PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Jul  7 08:48:38 io PAX: bytes at SP-8:

I've been able to strace the crash. Hope that's what you need. I didn't want to attach the 800kb so please find the strace at http://www.episode-iv.de/public/clamd.trace.tar.bz2

I have been trying to get something through gdb, but clamd somehow won't crash if gdb is attached. It has been running for almost 3 days now and it's still fine.

(In reply to comment #2)
> Are you using any 3rd party signatures which are downloaded not via freshclam? 
> If yes, check for race conditions in you download script.
> 

No , pure clamav signatures.

Comment 8 Eray Aslan 2009-07-08 04:58:10 UTC

> I've been able to strace the crash.

Thanks for the trace.  Please open a bug report at clamav.net and and give a link here.  All suggest a race condition with databases.  In the meanwhile, you can try

* backing up and deleting your virus database directory.  Let freshclam download a fresh copy
* disable self-check in clamd.  Let freshclam notify when there is an update.

Re-fetching signatures and disabling self-check didn't help. Reported this upstream at https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1653

(In reply to comment #6)
> I have been trying to get something through gdb, but clamd somehow won't crash
> if gdb is attached. It has been running for almost 3 days now and it's still
> fine.
I can reproduce the crash now but I'm unable to get a meaningful backtrace which the clamav devs need... I added -ggdb to my CFLAGS and -nopie to my LDFLAGS, recompiled but I still only get 0x0000000000000000 in ?? ().
Any hints?

Comment 11 Eray Aslan 2009-07-08 16:27:17 UTC

(In reply to comment #10)
> I added -ggdb to my CFLAGS and -nopie to my
> LDFLAGS, recompiled but I still only get 0x0000000000000000 in ?? ().
> Any hints?

Do not strip binaries.
http://www.gentoo.org/proj/en/qa/backtraces.xml

Sorry, forgot to mention that... Tried as well with FEATURES="nostrip"...

Comment 13 Eray Aslan 2009-07-08 17:28:04 UTC

Uhm, that's it.  If you are in a library, make sure you compile that lib withouting stripping as well.  Basically, gdb needs the symbol table to be present to deduce the function names.

Can anyone test whether the same behavior occurs without a PAX kernel? I can't reboot my system at the moment...

(In reply to comment #14)
> Can anyone test whether the same behavior occurs without a PAX kernel? I can't
> reboot my system at the moment...
> 

My original report was from hardened kernel & environment.

Created attachment 198189 [details]
File crashing clamscan

This is a file crashing clam(d)scan reliably on my system. Maybe someone else can try to get a backtrace... I seem to suck too much at this ;o)

Comment 17 Eray Aslan 2009-07-19 05:22:47 UTC

I cannot reproduce the crash:

$ clamdscan /tmp/1.ura 
/tmp/1.ura: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.264 sec (0 m 0 s)

I have similar problem at
Portage 2.1.6.13 (hardened/x86, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 i686)

maybe de-stable (mark as ~x86) this version now ?

Comment 19 Tobias Scherbaum (RETIRED) 2009-07-20 17:57:40 UTC

To sum up things: only affects pax-enabled kernels. de-stabling an older version isn't an option, you can switch back to an older version - but do consider the security implications of doing so.

Luckily I was able to reproduce this on an oldish pax-enabled box, i'll try to get a backtrace. (which will take some time, sadly)

Comment 20 Tobias Scherbaum (RETIRED) 2009-07-20 18:26:18 UTC

(In reply to comment #9)
> Re-fetching signatures and disabling self-check didn't help. Reported this
> upstream at https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1653
> 

Something's wrong with that bug? I can't access it, though being registered at their bugzie.

(In reply to comment #20)
> Something's wrong with that bug? I can't access it, though being registered at
> their bugzie.
It's only visible to the bug's CC list, probably because it's a potential security vulnerability... 
I tried to add you to the CC list but didn't succeed. Did you register with the same e-mail address as listed here?

Comment 22 Tobias Scherbaum (RETIRED) 2009-07-20 20:50:41 UTC

(In reply to comment #21)
> (In reply to comment #20)
> > Something's wrong with that bug? I can't access it, though being registered at
> > their bugzie.
> It's only visible to the bug's CC list, probably because it's a potential
> security vulnerability... 
> I tried to add you to the CC list but didn't succeed. Did you register with the
> same e-mail address as listed here?
> 

tobias@scherbaum.info, please :) Oh ... and yeah, i was thinking of that reasoning as well *sigh*

Same Problem here.

[5038095.215319] PAX: From 192.168.1.2: execution attempt in: <NULL>, 00000000-00000000 00000000
[5038095.215324] PAX: terminating task: /usr/bin/clamscan(clamscan):5890, uid/euid: 0/0, PC: 0000000000000000, SP: 00007c34342d06d0
[5038095.215329] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[5038095.215358] PAX: bytes at SP-8:
[6083075.548258] PAX: From 192.168.0.4: execution attempt in: <NULL>, 00000000-00000000 00000000
[6083075.548264] PAX: terminating task: /usr/bin/clamscan(clamscan):6368, uid/euid: 0/0, PC: 0000000000000000, SP: 00007e0787052a20
[6083075.548268] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[6083075.548298] PAX: bytes at SP-8:


EIS pub # emerge --info
Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r1 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r1-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_1210-with-gentoo-1.12.11.1
Timestamp of tree: Thu, 06 Aug 2009 17:15:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-lang/python:     2.6.2-r1
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=opteron -pipe -fforce-addr "
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=opteron -pipe -fforce-addr "
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ "
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 bash-completion berkdb cracklib crypt fam gnutls hardened justify mmx mysql nls nptl nptlonly offensive pam pic readline sse sse2 ssl sysfs tcpd threads unicode urandom winbind xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x        ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3       trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 intel mach64         mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis       sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 24 Eray Aslan 2009-08-19 10:14:18 UTC

Report of changing CFLAGS helps with the segfault and a possible hardened GCC bug from clamav-users mailing list:

[...]
In all of these cases, clamd/clamscan are either segfaulting, or being 
killed off by PaX. At first, I suspected a (possibly exploitable) bug in 
LibClamAV, but it would seem that this is not the case. I now believe 
the bug is actually in our particular version of GCC, which is why only 
Gentoo users have noticed. 

For example, with my default, 

CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" 

I get the crash (PaX is killing off an execution attempt at NULL): 

mx1 test-cases # clamscan postcard.zip 
LibClamAV Error: cli_checkfp(): lseek() failed 
Killed 

But with, 

CFLAGS="-pipe -fomit-frame-pointer" 

Everything works as expected: 

mx1 ~ # clamscan postcard.zip 
postcard.zip: Trojan.Delf-5385 FOUND 

----------- SCAN SUMMARY ----------- 
Known viruses: 1358189 
Engine version: 0.95.2 
Scanned directories: 0 
Scanned files: 1 
Infected files: 1 
Data scanned: 0.08 MB 
Data read: 0.08 MB (ratio 1.00:1) 
Time: 9.645 sec (0 m 9 s) 
[...]

http://lurker.clamav.net/message/20090819.031013.bbe86efc.en.html for the full thread.

Today this bug made me insane, too. Maybe my information helps.

I found out that in my case scanning Windows .EXE files lead to a clamd crash. A mail with a exe inside a zip as mail attachement from avavisd-new was the clue. For example clamd doesn't like the latest putty from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
It crashes everytime the mail is scanned.

Downgrading to 0.95.1 solves the problem. But this ist not how I would like things to be.

My setup:
Kernel: 2.6.28-hardened-r9
CPU: Intel Xeon E5410

make.conf:
CHOST="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CXXFLAGS="${CFLAGS}"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
PORTAGE_RSYNC_EXTRA_OPTS="--progress"
MAKEOPTS="-j5"

USE="acpi caps logrotate mmx spamassassin sasl sse sse2"

Same issue here. Not using PaX, I'm using a xen-sources kernel in a DomU on amd64, and hardened gentoo profile.

It *appears* that re-emerging clamav with a vanilla gcc profile is enough to make it work, at least it's not crashed in two hours here (it lasted more or less two minuts before). Probably something with PIE or SSP or whatever else in hardened gcc.

Comment 27 Tony Vroon (RETIRED) 2009-09-14 10:16:02 UTC

(In reply to comment #24)
> But with, 
> CFLAGS="-pipe -fomit-frame-pointer" 

Confirmed, compiling with CFLAGS="-pipe" I now have a working clamscan:
gold / # clamscan /home/tony/1.ura 
/home/tony/1.ura: OK

----------- SCAN SUMMARY -----------
Known viruses: 1167043
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.61 MB
Data read: 0.05 MB (ratio 13.00:1)
Time: 7.494 sec (0 m 7 s)

System info:
Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-1.12.11.1
Timestamp of tree: Sun, 13 Sep 2009 23:20:01 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.4.6, 2.5.4-r3, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://portage-rsync.linx.net/gentoo-portage"
USE="amavis amd64 bash-completion berkdb bzip2 clamdtop cracklib crypt diskio dkim elf gif gnutls gocr hardened hpn iconv ipv6 jbig jpeg jpeg2k justify logrotate ncurses no-old-linux nptl nptlonly pam perl pic python razor readline rle sasl spamassassin sse sse2 ssl svg sysfs tiff unicode urandom vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x 	ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 	trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 intel mach64 	mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis 	sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Confirmed here.  Remove -O2 appears to make clamd happy.  Using avamisd-new calling out to clamd and clamscan.  PaX + SeLinux amd64 kernel 2.6.28-r9

I've captured the message that crashes clamd.  As already noted, it appears to be a compressed executable attachment.  AVG flagged it as virus Packed.Revot

emerge --info follows:
Portage 2.1.6.13 (selinux/2007.0/amd64/hardened, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9-selinux x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-selinux-x86_64-Intel-R-_Xeon-R-_CPU_X3210_@_2.13GHz-with-gentoo-1.12.11.1
Timestamp of tree: Mon, 14 Sep 2009 14:45:02 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-lang/python:     2.6.2-r1
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://mirror.iawnet.sandia.gov/pub/gentoo/ ftp://ftp.ndlug.nd.edu/pub/gentoo/ http://open-systems.ufl.edu/mirrors/gentoo http://mirror.phy.olemiss.edu/mirror/gentoo http://mirror.utdlug.org/linux/distributions/gentoo/ "
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="amd64 berkdb cli cracklib crypt dri fortran hardened iconv ipv6 isdnlog mmx mudflap ncurses nls openmp pam pcre perl pic pppd python readline reflection selinux session spl sse sse2 ssl tcpd vhosts zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

/etc/portage/package.use:
app-antivirus/clamav bzip2

I can provide other data if needed, and I am willing to do some testing if needed (though I may need someone to hold my hand if you need debugging info).

This is a bug in gentoo's patched gcc 3.4.6 compiler as described here:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1653#c22

This compiler is bugged when using -fno-strict-aliasing -O2, it overlaps
the address of a stack variable with the return address, leading to overwrite
of return address with 0, hence the segfault at 0 (see above bug for details):
gcc version 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.6, ssp-3.4.6-1.0, pie-8.7.10)

Note that upstream 3.4.6/non-hardened 3.4.6 doesn't have this bug.

As a temporary fix you can remove -fno-strict-aliasing from ClamAV's configure.

But you should really use a compiler that:
 - is still supported upstream (3.4.6 is not)
 - doesn't have bugs introduced by custom ssp/pie/etc. patches

Especially for a hardened build that is supposed to avoid bugs, not introduce them.

For example GCC 4.3.4 has -fstack-protector (ssp), -pie, and doesn't need extra patches to get those features.

Please reassign the bug to gcc/hardened, this is NOT a ClamAV bug.

I can confirm this problem. Clamscan segfaults on the testfile from here and also on some files I got by mail (an infected windows executable).

Kernel: 2.6.30-gentoo-r5
GCC: x86_64-pc-linux-gnu-3.4.6
Profile: hardened/linux/amd64/10.0

I also tried the GIT Sources and they don't crash on the test files here.
ClamAV devel-r5076-198-g862cc2d/9861/Fri Oct  2 03:51:01 2009

(In reply to comment #30)
> I can confirm this problem. Clamscan segfaults on the testfile from here and
> also on some files I got by mail (an infected windows executable).
> 
> Kernel: 2.6.30-gentoo-r5
> GCC: x86_64-pc-linux-gnu-3.4.6
> Profile: hardened/linux/amd64/10.0
> 
> I also tried the GIT Sources and they don't crash on the test files here.
> ClamAV devel-r5076-198-g862cc2d/9861/Fri Oct  2 03:51:01 2009
> 

Ok, -fno-strict-aliasing is removed in GIT already for gcc < 4.3, this
was the commit that did that:
commit a0cbf9adc2e25283872824f4353fae6386e8e2ea
Author: Török Edvin <edwin@clamav.net>
Date:   Wed Sep 30 19:43:21 2009 +0300

    Only use -fno-strict-aliasing for gcc-4.3+, to avoid bugs with older compilers (bb #1581).

Created attachment 205836 [details]
Clamav-Devel ebuild (git repository)

This is the ebuild I used to compile clamd from git devel sources.
-> http://www.clamav.net/download/sources

It is based on clamav-0.95.2.ebuild. 
I had to disable the patch, I don't know what it does.
I'm also not sure if the use flags still work as expected.
You'll need some files from the original portage tree.

# mkdir -p /opt/portage/app-antivirus/clamav/files
# cd /opt/portage/app-antivirus/clamav/
# cp /usr/portage/app-antivirus/clamav/files/* ./files/
# cp ~/clamav-9999.ebuild clamav-9999.ebuild
# ebuild clamav-9999.ebuild digest
# ACCEPT_KEYWORDS="~x86 ~amd64" emerge -a clamav

There is easy workaround.

gcc-config -l will show available GCC profiles.
1.Before emerging clamav, select vanilla GCC profile without hardened candies.
2.then emerge clamav
3.Change profile back to original 

Clamav wont crash anymore.

Tested on 4 servers.

Created attachment 205838 [details, diff]
clamav-0.95.2-r1.ebuild.patch

attached there is an ebuild patch for 0.95.2 that filter the -fno-strict-aliasing flag from the configure.

herd @antivirus: just use it as a temporary workaround until upstream will realease a new clamav version that will definitively solve the issue as reported by Edwin in comment #31; p.s.: I have also cleaned up all the .la/.a files using the proper USE flag 'static-libs'.

Hope to be useful.
Mauro Toffanin

Created attachment 205841 [details, diff]
clamav-0.95.2-hardened.patch

Created attachment 205851 [details, diff]
Patch by Török Edwin

This patch is a replacement for clamav-0.95.2-hardened.patch.
It will only enable -fno-strict-aliasing on gcc >= 4.3.
From the comment I guess it would not be wise to disable it completely.
Patch is based on the current git sources, so credit goes to Török Edwin.

Verified it with Mauro Toffanin's ebuild patch and works as expected.
IMO the bug is resolved and can be closed. My thanks goes to Török Edwin!

So maybe someone could commit the patch to portage?

Comment 38 Gordon Malm (RETIRED) 2009-10-14 00:30:34 UTC

*** Bug 288965 has been marked as a duplicate of this bug. ***

Comment 39 Tobias Scherbaum (RETIRED) 2009-10-17 17:23:05 UTC

(In reply to comment #37)
> So maybe someone could commit the patch to portage?
> 

Just added clamav-0.95.2-r1.


(In reply to comment #29)
> This is a bug in gentoo's patched gcc 3.4.6 compiler as described here:
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1653#c22
> 
> This compiler is bugged when using -fno-strict-aliasing -O2, it overlaps
> the address of a stack variable with the return address, leading to overwrite
> of return address with 0, hence the segfault at 0 (see above bug for details):
> gcc version 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.6, ssp-3.4.6-1.0, pie-8.7.10)
> 
> Note that upstream 3.4.6/non-hardened 3.4.6 doesn't have this bug.
> 
> As a temporary fix you can remove -fno-strict-aliasing from ClamAV's configure.
> 
> But you should really use a compiler that:
>  - is still supported upstream (3.4.6 is not)
>  - doesn't have bugs introduced by custom ssp/pie/etc. patches
> 
> Especially for a hardened build that is supposed to avoid bugs, not introduce
> them.
> 
> For example GCC 4.3.4 has -fstack-protector (ssp), -pie, and doesn't need extra
> patches to get those features.
> 
> Please reassign the bug to gcc/hardened, this is NOT a ClamAV bug.
> 

re-assigning to hardened@g.o, cc toolchain@g.o

I've just upgradede to clamav-0.92.2-r1 and the problem still exists:

clamav-test@jagdfalke.net /var/tmp/clamav-archive/files $ clamscan zip.000 
Segmentation fault
clamav-test@j /var/tmp/clamav-archive/files $ clamscan --scan-pe=no zip.000 
zip.000: OK

----------- SCAN SUMMARY -----------
Known viruses: 1181729
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 10.070 sec (0 m 10 s)
clamav-test@j /var/tmp/clamav-archive/files $ 

emerge --info:
Portage 2.1.6.13 (hardened/linux/amd64/10.0/no-multilib, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.27.29-s0.1.1-3 x86_64)
=================================================================
System uname: Linux-2.6.27.29-s0.1.1-3-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5200+-with-gentoo-1.12.11.1
Timestamp of tree: Sat, 24 Oct 2009 02:15:02 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -march=athlon64 -Os -fomit-frame-pointer -mno-tls-direct-seg-refs"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/mailman/Mailman/MTA/ /usr/share/logwatch"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-pipe -march=athlon64 -Os -fomit-frame-pointer -mno-tls-direct-seg-refs"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS=" --usepkgonly --with-bdeps=n"
FEATURES="buildpkg collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict stricter unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="de en en_GB fr es"
MAKEOPTS="-j1"
PKGDIR="/usr/portage-pkg"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://juliet.t6.jagdfalke.net/gentoo-portage"
USE="amd64 apache2 bash-completion berkdb bzip2 cli cracklib crypt doc dovecot-sasl dri epydoc examples fastcgi gdbm gpm hardened iconv iproute2 isdnlog jpeg justify logrotate logwatch mailwrapper milter mmx modules mudflap mysql ncurses nls nptl nptlonly openmp pam pam_chroot pcre perl pic png postfix pppd python readline reflection session sieve spl sse sse2 ssl sysfs tcl tcpd threads tiff truetype unicode urandom userlocales web webdav xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en en_GB fr es" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

$ gcc -v
Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/specs
Configured with: /var/tmp/portage/sys-devel/gcc-3.4.6-r2/work/gcc-3.4.6/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/3.4.6 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.6 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.6/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.6/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/include/g++-v3 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-multilib --disable-libgcj --enable-languages=c,c++,treelang --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
Thread model: posix
gcc version 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.6, ssp-3.4.6-1.0, pie-8.7.10)

From the clamav bug tracker:

"This got fixed in c7b5ac77ca8fe3f4747035f9259ccf38d66cc3b7 and will be included
in 0.95.3"

* 0.95.3
* 28 Oct 2009 17:03
Changes: This is a bugfix release recommended for all users.


in portage, but not stable
maybe need request for stable ?

app-antivirus/clamav-0.95.3 is marked stable and definitively solve the problem; can I close this bug report?

I confirmed the problem in #40 and I'm using ClamAV-0.95.3 (GCC 3.4) now.  

The problem is indeed fixed for me.  I believe you can close this bug, although I'm not the reporter. 

Regards,
Milan

(In reply to comment #43)
> app-antivirus/clamav-0.95.3 is marked stable and definitively solve the
> problem; can I close this bug report?
> 

Stable on all x64 and x32 systems, that i have.
I do use hardened gcc-4.3 at the moment with both glibc (2.9 2.10) and no problems so far.
There is no reason for this bug to stay open.

> (In reply to comment #43)
> app-antivirus/clamav-0.95.3 is marked stable and definitively solve the
> problem; can I close this bug report?
> 

Confirming stable on x86_64 here as well.  Also using gcc 4.3.4 and glibc 2.9_p20081201-r2