Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329323 - app-antivirus/clamav-0.96.1 clamd becomes unresponsive after PaX execution attempt
Summary: app-antivirus/clamav-0.96.1 clamd becomes unresponsive after PaX execution at...
Status: RESOLVED DUPLICATE of bug 326199
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-21 19:49 UTC by Attila Tóth
Modified: 2010-07-25 17:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Attila Tóth 2010-07-21 19:49:18 UTC 
I'm using the latest stable version of clamd with clamav-milter.
The server is running Hardened flavor of Gentoo. I'm using SaneSecurtiy
signatures as well.
For the past few weeks I noticed, that clamav-milter stops working because
clamd becomes unresponsive:

"
Jul 21 20:35:21 atoth clamav-milter[5810]: Failed to initiate
streaming/fdpassing
"

Before the symptom the system tries to process an email message. The daemon
gets blocked by PaX. That won't make the daemon crash, which keeps on running
and appears on the list of running processes. The temporary files of the
triggering email message remain in the temporary folder. I could trigger this
behavior using a non-infected xls attachment.
PaX error message looks like this:
"
Jul 21 20:13:28 atoth kernel: PAX: execution attempt in: <anonymous mapping>,
4d7d8000-50d81000 4d7d8000
Jul 21 20:13:28 atoth kernel: PAX: terminating task:
/usr/sbin/clamd(clamd):10976, uid/euid: 103/103, PC: 4d820810, SP: 37ff3f2c
Jul 21 20:13:28 atoth kernel: PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 44 fe
ff ff 83 c4 04 c3 b3 04 00 00
Jul 21 20:13:28 atoth kernel: PAX: bytes at SP-4: 37ff3ff8 518cbd97 37ff45b8
37ff3f50 517daeac 517cac5d 517ca8a0 377f74a0 4d820810 37ff45b8 52067cc0
00000000 37ff4080 37ff3ff8 419e8bd1 a6995f1d 00000000 517d5940 00000006
377f7b70 000fffff
"
or:
"
Jul 21 13:03:06 atoth kernel: PAX: execution attempt in: <anonymous mapping>,
4cba7000-501b7000 4cba7000
Jul 21 13:03:06 atoth kernel: PAX: terminating task:
/usr/sbin/clamd(clamd):31857, uid/euid: 103/103, PC: 4cbf5810, SP: 374a8f2c
Jul 21 13:03:06 atoth kernel: PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 44 fe
ff ff 83 c4 04 c3 b3 04 00 00
Jul 21 13:03:06 atoth kernel: PAX: bytes at SP-4: 374a8ff8 50c80d97 374a95b8
374a8f50 50b8feac 50b7fc5d 50b7f8a0 36c6c4a0 4cbf5810 374a95b8 5141ccc0
00000000 374a9080 374a8ff8 7dbfe227 78b836e8 00000000 50b8a940 00000006
36c6cb70 000fffff
"

Startup information:
"
Jul 21 21:07:26 atoth clamd[11928]: clamd daemon 0.96.1 (OS: linux-gnu, ARCH:
i386, CPU: i686)
Jul 21 21:07:26 atoth clamd[11928]: Running as user clamav (UID 103, GID 410)
Jul 21 21:07:26 atoth clamd[11928]: Log file size limited to 5242880 bytes.
Jul 21 21:07:26 atoth clamd[11928]: Reading databases from /var/lib/clamav
Jul 21 21:07:58 atoth clamd[11928]: Loaded 2147028 signatures.
Jul 21 21:07:59 atoth clamd[11928]: TCP: Bound to address 127.0.0.1 on port
3310
Jul 21 21:07:59 atoth clamd[11928]: TCP: Setting connection queue length to 15
Jul 21 21:07:59 atoth clamd[11932]: Limits: Global size limit set to 10485760
bytes.
Jul 21 21:07:59 atoth clamd[11932]: Limits: File size limit set to 10485760
bytes.
Jul 21 21:07:59 atoth clamd[11932]: Limits: Recursion level limit set to 3.
Jul 21 21:07:59 atoth clamd[11932]: Limits: Files limit set to 300.
Jul 21 21:07:59 atoth clamd[11932]: Archive support enabled.
Jul 21 21:07:59 atoth clamd[11932]: Algorithmic detection enabled.
Jul 21 21:07:59 atoth clamd[11932]: Portable Executable support enabled.
Jul 21 21:07:59 atoth clamd[11932]: ELF support enabled.
Jul 21 21:07:59 atoth clamd[11932]: Detection of broken executables enabled.
Jul 21 21:07:59 atoth clamd[11932]: Mail files support enabled.
Jul 21 21:07:59 atoth clamd[11932]: Mail: RFC1341 handling enabled.
Jul 21 21:07:59 atoth clamd[11932]: OLE2 support enabled.
Jul 21 21:07:59 atoth clamd[11932]: PDF support enabled.
Jul 21 21:07:59 atoth clamd[11932]: HTML support enabled.
Jul 21 21:07:59 atoth clamd[11932]: Heuristic: precedence enabled
Jul 21 21:07:59 atoth clamd[11932]: Structured: Minimum Credit Card Number
Count set to 8
Jul 21 21:07:59 atoth clamd[11932]: Structured: Minimum Social Security Number
Count set to 8
Jul 21 21:07:59 atoth clamd[11932]: Self checking every 42300 seconds.
Jul 21 21:08:02 atoth freshclam[11942]: freshclam daemon 0.96.1 (OS: linux-gnu,
ARCH: i386, CPU: i686)
Jul 21 21:08:02 atoth freshclam[11942]: ClamAV update process started at Wed
Jul 21 21:08:02 2010
Jul 21 21:08:02 atoth freshclam[11942]: main.cvd is up to date (version: 52,
sigs: 704727, f-level: 44, builder: sven)
Jul 21 21:08:02 atoth freshclam[11942]: Downloading daily-11404.cdiff [100%]
Jul 21 21:08:02 atoth freshclam[11942]: daily.cld updated (version: 11404,
sigs: 104268, f-level: 53, builder: ccordes)
Jul 21 21:08:03 atoth freshclam[11942]: Downloading safebrowsing-22518.cdiff
[100%]
Jul 21 21:08:03 atoth freshclam[11942]: Downloading safebrowsing-22519.cdiff
[100%]
Jul 21 21:08:04 atoth freshclam[11942]: Downloading safebrowsing-22520.cdiff
[100%]
Jul 21 21:08:13 atoth freshclam[11942]: Downloading safebrowsing-22521.cdiff
[100%]
Jul 21 21:08:21 atoth freshclam[11942]: Downloading safebrowsing-22522.cdiff
[100%]
Jul 21 21:08:23 atoth clamav-milter[11985]: +++ Started at Wed Jul 21 21:08:23
2010
Jul 21 21:08:43 atoth freshclam[11942]: safebrowsing.cld updated (version:
22522, sigs: 731054, f-level: 53, builder: google)
Jul 21 21:08:43 atoth freshclam[11942]: Downloading bytecode-32.cdiff [100%]
Jul 21 21:08:43 atoth freshclam[11942]: bytecode.cld updated (version: 32,
sigs: 8, f-level: 53, builder: edwin)
Jul 21 21:08:43 atoth freshclam[11942]: Database updated (1540057 signatures)
from database.clamav.net (IP: 195.228.75.149)
Jul 21 21:08:43 atoth freshclam[11942]: Clamd successfully notified about the
update.
Jul 21 21:08:43 atoth freshclam[11942]: SubmitDetectionStats: Submitted 20
records
Jul 21 21:08:43 atoth freshclam[11942]: --------------------------------------
Jul 21 21:08:45 atoth clamd[11932]: Reading databases from /var/lib/clamav
Jul 21 21:09:17 atoth clamd[11932]: Database correctly reloaded (2149527
signatures)
"

Regards:
Dw.

Reproducible: Always

Steps to Reproduce:
I could trigger it sending an email with a non-infected xls attachment



Upstream: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2134
Comment 1 Attila Tóth 2010-07-21 19:54:30 UTC 
Trying to clamscan the file kills the process leaving a PaX log entry behind:
"
Jul 21 21:51:29 atoth kernel: PAX: From 78.92.183.225: execution attempt in: <anonymous mapping>, 4c26d000-4f7ec000 4c26d000
Jul 21 21:51:29 atoth kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):12709, uid/euid: 1000/1000, PC: 4c28b810, SP: 5b0db9cc
Jul 21 21:51:29 atoth kernel: PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 44 fe ff ff 83 c4 04 c3 b3 04 00 00
Jul 21 21:51:29 atoth kernel: PAX: bytes at SP-4: 5b0dba98 502ffd97 5b0dc058 5b0db9f0 5020eeac 501fec5d 501fe8a0 372244a0 4c28b810 5b0dc058 50a9bcc0 00000000 5b0dbb20 5b0dba98 d2243212 96ae2604 00000000 50209940 00000006 37224b70 000fffff
"

Unfortunately the file contains sensitive patient data, therefore I cannot share it here.

Regards:
Dw.
Comment 2 Attila Tóth 2010-07-21 20:06:14 UTC 
My problem seems to be related to document files. OpenOffice documents and pdf files passes the scanner without lockups. Microsoft Office documents trigger the issue in my scenario. I attached example files to the upstream bug.
Comment 3 Attila Tóth 2010-07-21 21:47:40 UTC 
Upstream made the bug a duplicate of another.
That would mean this bug is a duplicate of http://bugs.gentoo.org/show_bug.cgi?id=326199.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-25 17:51:51 UTC 

*** This bug has been marked as a duplicate of bug 326199 ***