Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clamscan Crashes on AIX When Scanning ZIP Files Containing MS-EXE/DLL Files #1435

Open
caiusionduca opened this issue Jan 13, 2025 · 5 comments · May be fixed by #1437
Open

Clamscan Crashes on AIX When Scanning ZIP Files Containing MS-EXE/DLL Files #1435

caiusionduca opened this issue Jan 13, 2025 · 5 comments · May be fixed by #1437

Comments

@caiusionduca
Copy link

Hello,

I am encountering an issue with ClamAV on AIX 7.2. Specifically, Clamscan crashes when scanning certain ZIP or JAR files that contain MS-EXE/DLL files inside. For example:

/var/ibm/InstallationManager/bundles/plugins/com.ibm.ws.check.os.v80_8.0.5024.20230413_1800.jar
/opt/freeware/lib/python3.7/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl
This issue seems to occur only with files containing Windows executables or libraries (MS-EXE/DLL). Other ZIP or JAR files without these contents scan successfully.

I am using ClamAV version 1:1.0.7-2.ppc. The crashes do not produce meaningful error messages, making it difficult to identify the root cause.

Has anyone else experienced this issue on AIX or other platforms? Are there known workarounds or fixes for handling such files without causing Clamscan to crash?

I would greatly appreciate any guidance or suggestions from the community.

Thank you in advance for your help!
@KamathForAIX
Copy link
Contributor

@micahsnyder ,

@caiusionduca has reported this issue correctly. The other AIX customers will also see this issue.

What is happening is we have a problem here

This load module function will not work properly in AIX since we do not have a LD_LIBRARY_PATH environment variable. We have a LIBPATH environment variable, which we can use.

Hence the below happens

LibClamAV debug: searching for unrar: /opt/freeware/lib/libclamunrar_iface.a.11 not found
LibClamAV debug: searching for unrar: /opt/freeware/lib/libclamunrar_iface.a not found
LibClamAV debug: searching for unrar: /opt/freeware/lib/libclamunrar_iface..a not found
LibClamAV debug: Cannot dlopen libclamunrar_iface:      0509-022 Cannot load module /opt/freeware/lib/libclamunrar_iface..a.
        0509-026 System error: A file or directory in the path name does not exist. - unrar support unavailable
LibClamAV debug: Initialized 1.0.7 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling rege

And Clamscan crashes with a core dump.

I would like to make changes in that place to support this in AIX and raise a PR. I am working on the fix and testing.

Want to keep you informed, @micahsnyder :)

@val-ms
Copy link
Contributor

val-ms commented Jan 17, 2025

@KamathForAIX I don't think the library load issue has anything to do with the crash. The dynamic unrar loading process is designed to keep going if unrar can't be found.

Can you test if the crash also occurs in 1.4? We've made a number of code quality improvements in the PE (EXE/DLL) parser since 1.0 along the lines of pointer alignment, overlapping memory copies, and more.

E.g.

@KamathForAIX
Copy link
Contributor

@micahsnyder Even in 1.4 it core dumps.

LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /\b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug: 
LibClamAV debug: 
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /(CANON|NIKON|photo|img|IMG|pic|SHOT|swift|EPSON)[a-z\d]{1,20}\.js/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug: 
LibClamAV debug: 
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /SKMBT[\W_][\w]{0,16}\.exe/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug: 
LibClamAV debug: groupicon_cb: scanning group 7f00
LibClamAV debug: cli_scanicon: icon group @3860
LibClamAV debug: cli_scanicon: Icongrp @40f8 - 32x32x4 - (id=2, rsvd=1, planes=16, palcnt=0, sz=2e8)
LibClamAV debug: parseicon: Bitmap - 32x32x4
Segmentation fault (core dumped)

clamscan --version

ClamAV 1.4.0/27525/Tue Jan 21 03:37:18 2025

KamathForAIX added a commit to KamathForAIX/clamav that referenced this issue Jan 22, 2025
@KamathForAIX
Add AIX variables for the load module function to work in AIX.
bb356ba 
Closes Cisco-Talos#1435.
@KamathForAIX KamathForAIX linked a pull request Jan 22, 2025 that will close this issue
Open
@KamathForAIX
Copy link
Contributor

@micahsnyder

So AIX has two pow() functions. One in libbsd and another in libc. The way we built clamav in AIX, when the code here hit, we used bsd pow (), and the value was difficult for that legacy pow () to handle, leading to a core dump.

If we link the libc pow () correctly, then we will not see the issue. Which I have done.

Attaching the log below of the correct output.

With this fix and a PR I raised, I would like to close this issue. The pull request makes the load module function AIX-friendly.

Thanks for your help. You can always contact me for AIX issues. Kindly let me know what you think about the PR :)

#  clamscan -v -r /var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe 
Loading:    26s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks 

Scanning /var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe
/var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 8704059
Engine version: 1.5.0-devel-20250122
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 33.800 sec (0 m 33 s)
Start Date: 2025:01:22 06:52:19
End Date:   2025:01:22 06:52:53

@kwwcb
Copy link

kwwcb commented Feb 3, 2025
edited
Loading

Running into this on AIX as well - recreated by scanning (ClamAV version 1.0.7):
/opt/freeware/bin/clamscan /opt/freeware/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl

Snippet from the core dump, reinforces what @KamathForAIX mentioned:
Segmentation fault in pow.pow [/usr/lib/libbsd.a] at 0x900000000dce178

KamathForAIX added a commit to KamathForAIX/clamav that referenced this issue Feb 4, 2025
@KamathForAIX
Add AIX variables for the load module function to work in AIX.
b6e3c0d 
Closes Cisco-Talos#1435.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add AIX variables for the load module function to work in AIX. KamathForAIX/clamav
4 participants
@val-ms @caiusionduca @KamathForAIX @kwwcb