Looks like when freshclam runs on PaX systems, it segfaults (terminated by PaX). This started 6/28/2010 approximately 1PM MST. I posted the following thread on the forums: http://forums.gentoo.org/viewtopic-p-6335753.html I also posted a bug upstream at ClamAV https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092 It appears to be an issue with the execution of RWX memory on PaX systems. They mentioned they'd look into the problem and how to address it. I would assume that there will be a update shortly. During make test checks.. this is where the bomb is: [ RUN ] JIT.GlobalInFunction /bin/sh: line 5: 6765 Killed (core dumped) ${dir}$tst FAIL: llvmunittest_JIT GNU Make 3.81 Copyright (C) 2006 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Here is what it looks like in the logs when it bombs: Jun 28 13:09:14 comp freshclam[12068]: -------------------------------------- Jun 28 13:09:50 comp kernel: PAX: terminating task: /usr/sbin/clamd(clamd):12092, uid/euid: 105/105, PC: 48a716d0, SP: 4820c2ec Jun 28 13:10:25 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):12255, uid/euid: 105/105, PC: 462946d0, SP: 5cc9f08c Jun 28 13:26:27 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):14290, uid/euid: 105/105, PC: 3f7eb6d0, SP: 581766cc Jun 28 13:34:56 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):15237, uid/euid: 105/105, PC: 4a4b26d0, SP: 5b5060ac Jun 28 13:36:36 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):15481, uid/euid: 105/105, PC: 4cad66d0, SP: 5eab854c Jun 28 13:36:40 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):15486, uid/euid: 105/105, PC: 468226d0, SP: 587e32cc Jun 28 13:38:16 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):15631, uid/euid: 105/105, PC: 44fd16d0, SP: 5913079c Reproducible: Always Steps to Reproduce: 1.Have Hardened-sources, clamav running 2.wait for freshclam update 3.Listen for bomb, clamd service stops Actual Results: clamd service is stopped, mail system gets hung waiting for AV Expected Results: Everything should work. Portage 2.1.8.3 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.11.1-r0, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-AMD_Duron-TM-with-gentoo-1.12.13 Timestamp of tree: Mon, 28 Jun 2010 08:30:01 +0000 app-shells/bash: 4.0_p37 dev-java/java-config: 2.1.10 dev-lang/python: 2.5.4-r3, 2.6.5-r2, 3.1.2-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.1.2, 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=i686 -funroll-loops -pipe " CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O3 -march=i686 -funroll-loops -pipe " DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 berkdb bzip2 cli cracklib crypt cxx dri gdbm gpm hardened iconv innodb maildir modules mudflap mysql ncurses nptl nptlonly openmp openssh pam pcre perl php pic pppd pwdb python readline reflection sasl session snortsam spl ssl sysfs tcpd urandom x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
paxctl -m /usr/sbin/clamd help here
(In reply to comment #1) > paxctl -m /usr/sbin/clamd help here That didn't work for me. I disabled PAGEEXEC, MPROTECT, RANDEXEC and EMUTRAMP on my boxes, and it continued to crash. Apparently it was related to attachments with bytecode only.. so you may not be seeing that in the moment. I guess you can send thumbs.db and you might be able to force a crash at that time. The suggested workaround at the moment, is to disable bytecode checking by adding 'Bytecode off' to freshclam.conf. Some good info here: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092
> > paxctl -m /usr/sbin/clamd help here paxctl -m actually helped in my case. Of course, you have to run it on every executable you use, if you run clamscan run it on clamscan executable and so on.
*** Bug 329323 has been marked as a duplicate of this bug. ***
for kernel 2.6.32-hardened-r9 with grsec, pax and clamav-0.96.1 Tried all the paxctl work-arounds but none worked, however Bytecode no in freshclam.conf plus deleting /var/lib/clamav/bytecode.cvd worked for me (Bytecode off gave 'ERROR: Incorrect argument format for option Bytecode').
Seems to be fixed in 0.96.2 so I'll add the version bump request as dependency.
I'm not sure if should i open new bug. On hardened profile, freshclam can't use JIT (and bytecode), throws: [...] Downloading daily-12394.cdiff [100%] daily.cld updated (version: 12394, sigs: 11180, f-level: 58, builder: arnaud) Downloading bytecode-94.cdiff [100%] Downloading bytecode-95.cdiff [100%] [LibClamAV] Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted The same with clamd: LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Yes, i can run paxctl on libclamav lib but i wonder maybe should it be done by ebuild?
(In reply to comment #7) > I'm not sure if should i open new bug. On hardened profile, freshclam can't use > JIT (and bytecode), throws: > [...] > Downloading daily-12394.cdiff [100%] > daily.cld updated (version: 12394, sigs: 11180, f-level: 58, builder: arnaud) > Downloading bytecode-94.cdiff [100%] > Downloading bytecode-95.cdiff [100%] > [LibClamAV] Bytecode: disabling JIT because PaX is preventing 'mprotect' > access. > Run 'paxctl -cm <executable>' > ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't > allocate RWX Memory: Operation not permitted > > The same with clamd: > LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not > permitted > LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' > access. > > Yes, i can run paxctl on libclamav lib but i wonder maybe should it be done by > ebuild? > For the current clamav it is the expected behavior. If you don't remove mprotect, clamav detects it and disables JIT features. You have the choice.
> For the current clamav it is the expected behavior. If you don't remove > mprotect, clamav detects it and disables JIT features. You have the choice. I prefer choosing using USE flags, for example USE="SECURITY_HAZARD". If i enable mprotect manually, i've got to remember to do it next time and $(equery k clamav) shows incorrect MD5sum for liblcamav. But if there are good reason to don't do it with USE flag, i can live with it ;) (It would be nice to have possibility to create own "post_install action" for choosen package)
(In reply to comment #9) > > For the current clamav it is the expected behavior. If you don't remove > > mprotect, clamav detects it and disables JIT features. You have the choice. > > I prefer choosing using USE flags, for example USE="SECURITY_HAZARD". If i > enable mprotect manually, i've got to remember to do it next time and $(equery > k clamav) shows incorrect MD5sum for liblcamav. But if there are good reason to > don't do it with USE flag, i can live with it ;) > (It would be nice to have possibility to create own "post_install action" for > choosen package) > I'm not a developer. I've heard some rumors about a jit USE flag. You may pay a visit to the hardened Gentoo IRC channel...
* Starting clamd ... LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' [ ok ] * Starting freshclam ... [ ok ] I started getting this warning with 0.96.5, setting "Bytecode no" in freshclam.conf of course helped get rid of that warning.
> LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' You can disable JIT bytecode by setting Bytecode no in /etc/clamd.conf. It will remove the error message and clamav will continue working fine.
(In reply to comment #12) > > LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' > > You can disable JIT bytecode by setting > > Bytecode no > > in /etc/clamd.conf. It will remove the error message and clamav will continue > working fine. > Okay ignore that comment, it is misleading. We *want* bytecode because it allows for more sophisticated detection. We just don't want to interpret the bytecode via JIT, rather than the old way via an interpreter. As of clamav-0.96.5, clamd detects whether the system is able to allocate an RWX page (line 156 of libclamav/c++/detect.cpp) by simply trying to do so. If it fails, then it simply displays the warning message "RWX mapping denied: ..." (line 158), and it fails to set a bitfield in env->os_features (line 160) which is later used in libclamav/bytecode.c to revert to CL_BYTECODE_MODE_INTERPRETER (line 2446) rather than JIT. This code is called only once upon startup when cli_detect_environment() is run and so the error message is seen only once. I don't really see any problem here as of version 0.96.5.
*** Bug 458268 has been marked as a duplicate of this bug. ***
Does anyone know if this is still a problem? -- just asking since that version has long been removed from the tree (oldest version in the tree is 0.98 at the moment)
(In reply to Thomas Raschbacher from comment #15) > Does anyone know if this is still a problem? -- just asking since that > version has long been removed from the tree (oldest version in the tree is > 0.98 at the moment) On my systems clamav currently correctly detects whether mprotect is enabled or not and acts accordingly. I think this problem has been solved. Although it would be good to hear the same from another hardened user.
I can confirm it's been working correctly for a long time now.
I can concur as well as note that the version of clamav under question is no longer in the tree. Marking this as fixed if I don't hear anything by Sept 20.
