Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.36k stars 700 forks source link

Segmentation fault scanning a locale file #1262

Closed dsotirho-ucsc closed 6 months ago

dsotirho-ucsc commented 6 months ago

Describe the bug

ClamAV scan crashes with a Segmentation fault scanning a particular file: python3/dist-packages/mercurial/locale/ja/LC_MESSAGES/hg.mo

This crash occurs with ClamAV v1.3.0-41 but not a previous version v1.2.1-27.

…
Mar 19 07:26:23 ip-172-21-0-99 docker: clamscan: Scanning /scan/mnt/gitlab/docker/overlay2/cb91ee0a392a8b157d52474fa67092b0f65041470a53a5db9824b6d47461187a/diff/usr/lib/python3/dist-packages/mercurial/locale/zh_CN/LC_MESSAGES/hg.mo
Mar 19 07:26:23 ip-172-21-0-99 docker: clamscan: Scanning /scan/mnt/gitlab/docker/overlay2/cb91ee0a392a8b157d52474fa67092b0f65041470a53a5db9824b6d47461187a/diff/usr/lib/python3/dist-packages/mercurial/locale/zh_TW/LC_MESSAGES/hg.mo
Mar 19 07:26:23 ip-172-21-0-99 docker: clamscan: Scanning /scan/mnt/gitlab/docker/overlay2/cb91ee0a392a8b157d52474fa67092b0f65041470a53a5db9824b6d47461187a/diff/usr/lib/python3/dist-packages/mercurial/locale/it/LC_MESSAGES/hg.mo
Mar 19 07:26:23 ip-172-21-0-99 docker: clamscan: Scanning /scan/mnt/gitlab/docker/overlay2/cb91ee0a392a8b157d52474fa67092b0f65041470a53a5db9824b6d47461187a/diff/usr/lib/python3/dist-packages/mercurial/locale/fr/LC_MESSAGES/hg.mo
Mar 19 07:26:23 ip-172-21-0-99 docker: clamscan: Scanning /scan/mnt/gitlab/docker/overlay2/cb91ee0a392a8b157d52474fa67092b0f65041470a53a5db9824b6d47461187a/diff/usr/lib/python3/dist-packages/mercurial/locale/ja/LC_MESSAGES/hg.mo
Mar 19 07:26:24 ip-172-21-0-99 kernel: clamscan[3479]: segfault at 7fd07d2592e2 ip 00007fd0d07c1fde sp 00007ffc532b2200 error 4 in libclamav.so.12.0.2[7fd0d0639000+5c1000]
Mar 19 07:26:25 ip-172-21-0-99 docker: clamscan: Segmentation fault (core dumped)
Mar 19 07:26:25 ip-172-21-0-99 docker: clamscan: clamscan failed

How to reproduce the problem

daniel@Crispin ~ $ ls -l hg.mo
-rw-------  1 daniel  staff  1201056 Apr 30 14:47 hg.mo

Successful scan with v1.2.1-27:

daniel@Crispin ~ $ docker run --name clamscan --rm --volume $PWD:/scan docker.io/clamav/clamav:1.2.1-27 /bin/sh -c "freshclam && clamscan --verbose --recursive --infected --allmatch=yes /scan/hg.mo"
ClamAV update process started at Wed May  1 21:10:54 2024
daily database available for update (local version: 27161, remote version: 27262)
WARNING: downloadFile: file not found: https://database.clamav.net/daily-27162.cdiff
WARNING: downloadPatch: Can't download daily-27162.cdiff from https://database.clamav.net/daily-27162.cdiff
WARNING: downloadFile: file not found: https://database.clamav.net/daily-27162.cdiff
WARNING: downloadPatch: Can't download daily-27162.cdiff from https://database.clamav.net/daily-27162.cdiff
WARNING: downloadFile: file not found: https://database.clamav.net/daily-27162.cdiff
WARNING: downloadPatch: Can't download daily-27162.cdiff from https://database.clamav.net/daily-27162.cdiff
WARNING: Incremental update failed, trying to download daily.cvd
Testing database: '/var/lib/clamav/tmp.8f0db7f34e/clamav-ec2270c5edba6d9dc19b7cc6e82e0502.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 27262, sigs: 2060256, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for update (local version: 334, remote version: 335)
Testing database: '/var/lib/clamav/tmp.8f0db7f34e/clamav-ccd9b9ebcdd237fd0cc93339647ee26d.tmp-bytecode.cld' ...
Database test passed.
bytecode.cld updated (version: 335, sigs: 86, f-level: 90, builder: raynman)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
Scanning /scan/hg.mo
LibClamAV Warning: file_bytes is not valid unicode: invalid utf-8 sequence of 2 bytes from index 207618

----------- SCAN SUMMARY -----------
Known viruses: 8692086
Engine version: 1.2.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 4.13 MB
Data read: 1.14 MB (ratio 3.61:1)
Time: 31.502 sec (0 m 31 s)
Start Date: 2024:05:01 21:11:10
End Date:   2024:05:01 21:11:41
daniel@Crispin ~ $ echo $?
0

Failed scan with v1.3.0-41:

daniel@Crispin ~ $ docker run --name clamscan --rm --volume $PWD:/scan docker.io/clamav/clamav:1.3.0-41 /bin/sh -c "freshclam && clamscan --verbose --recursive --infected --allmatch=yes /scan/hg.mo"
ClamAV update process started at Wed May  1 21:12:05 2024
daily database available for update (local version: 27203, remote version: 27262)
Testing database: '/var/lib/clamav/tmp.8e188f0103/clamav-b4c2519c2181c876acfddb64e5d00d36.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 27262, sigs: 2060256, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
Scanning /scan/hg.mo
daniel@Crispin ~ $ echo $?
139

clamconf:

daniel@Crispin ~ $ docker run --name clamscan --rm --volume $PWD:/scan docker.io/clamav/clamav:1.3.0-41 /bin/sh -c "clamconf -n"
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/tmp/clamd.pid"
LocalSocket = "/tmp/clamd.sock"
TCPSocket = "3310"
User = "clamav"

Config file: freshclam.conf
---------------------------
PidFile = "/tmp/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/milter.log"
LogTime = "yes"
PidFile = "/tmp/clamav-milter.pid"
User = "clamav"
ClamdSocket = "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock"
MilterSocket = "inet:7357"

Software settings
-----------------
Version: 1.3.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024
daily.cvd: version 27203, sigs: 2054194, built on Sun Mar  3 09:27:22 2024
Total number of signatures: 8701707

Platform information
--------------------
uname: Linux 6.6.16-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Feb 16 11:55:08 UTC 2024 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.3.1 (1.3.1), compile flags: a9
platform id: 0x0a21c8c808000000000d0201

Build information
-----------------
GNU C: 13.2.1 20231014 (13.2.1)
sizeof(void*) = 8
Engine flevel: 200, dconf: 200

Attachments

Zip file containing hg.mo: hg.mo.zip

micahsnyder commented 6 months ago

@dsotirho-ucsc An issue like this would generally be considered a security issue which we ask to be reported privately (see: https://github.com/Cisco-Talos/clamav/security/policy). If you come across something like this again, please follow those procedures for reporting.

But, I have good news. This one was fixed in 1.3.1.

I tested with both 1.3.0, and 1.3.1:

 ❯ ~/clams/1.3.0/bin/clamscan -d ~/clamav.hdb ~/Downloads/hg.mo/hg.mo
Loading:     0s, ETA:   0s [========================>]        1/1 sigs
Compiling:   0s, ETA:   0s [========================>]       10/10 tasks

fish: '~/clams/1.3.0/bin/clamscan -d ~…' terminated by signal SIGSEGV (Address boundary error)

❯ ~/clams/1.3.1/bin/clamscan -d ~/clamav.hdb ~/Downloads/hg.mo/hg.mo
Loading:     0s, ETA:   0s [========================>]        1/1 sigs
Compiling:   0s, ETA:   0s [========================>]       10/10 tasks

/mnt/c/Users/micasnyd/Downloads/hg.mo/hg.mo: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.3.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 3.91 MB
Data read: 1.14 MB (ratio 3.42:1)
Time: 0.056 sec (0 m 0 s)
Start Date: 2024:05:01 18:40:40
End Date:   2024:05:01 18:40:40  

I popped open a debugger with the 1.3.0 version and found the crash occurs here: image

Stack trace: image

So it appears you found test file for CVE-2024-20380, fixed in ClamAV 1.3.1