search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.19k stars 684 forks source link

0.105.1 crashed with "thread '<unnamed>' panicked at 'range start index N out of range for slice of length M" #675

Open genme opened 2 years ago

genme commented 2 years ago 
thread '<unnamed>' panicked at 'range start index 1915824 out of range for slice of length 957912', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/tiff-0.7.3/src/decoder/mod.rs:131:72
fatal runtime error: failed to initiate panic, error 5
micahsnyder commented 2 years ago

Hi @genme this looks related to https://github.com/Cisco-Talos/clamav/issues/662 but does not appear to be the same. I will open another issue with the tiff library.

Are you able to direct-message me a copy of the file that causes this crash, either through Discord or email (micasnyd at cisco.com)?

dbl001 commented 2 years ago

I got the same error on OS X Monterey 12.5. Trying again with RUST_BACKTRACE=1 environment variable set.

thread '<unnamed>' panicked at 'range start index 16380 out of range for slice of length 9660', /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/src/decoder/mod.rs:131:72
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 5
micahsnyder commented 2 years ago

@dbl001 I have the same request for you -- if you can share the file with me privately, I would like to investigate.

dbl001 commented 2 years ago

mod.rs.gz

dbl001 commented 2 years ago

btw - Do you happen to know if:

Osx.Exploit.CVE_2021_4034-9951522-1 FOUND

is a false positive? I submitted this a few weeks back but didn't hear anything.

micahsnyder commented 2 years ago

@dbl001 sorry I meant to say if you can share the file that you scanned that causes the crash. But please don't attach it here. if it reliably causes crashes it could be used to cause trouble. If you can share it via email (my addy above) or Discord in a direct message, I would appreciate it.

Regarding your false positive question, I see the signature is still active. I can ask the team that maintains the signature content and handles false positive reports if they see anything. If you can email me and tell me your email address that you used to submit the report, they should be able to find it and find out what's going on.

dbl001 commented 2 years ago

Did you receive the file? I submitted the request to the signature team as; davidl at softintel.com

mjbroekman commented 2 years ago

@dbl001 if that's the one on the MacOS nodejs binary, then yes... that sig was dropped (mentioned on Discord by Cisco)

dbl001 commented 2 years ago

It's still generating positives ...

/Library/Application Support/Adobe/Creative Cloud Libraries/CCLibrary.app/Contents/libs/node: Osx.Exploit.CVE_2021_4034-9951522-1 FOUND
mjbroekman commented 2 years ago

Yep. It was only mentioned in Discord about 30 minutes ago so it's likely that the new daily hasn't been published with the drop.

dbl001 commented 2 years ago 
thread '<unnamed>' panicked at 'range start index 16380 out of range for slice of length 9660', /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/src/decoder/mod.rs:131:72
stack backtrace:
   0: rust_begin_unwind
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/std/src/panicking.rs:517:5
   1: core::panicking::panic_fmt
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/core/src/panicking.rs:100:14
   2: core::slice::index::slice_start_index_len_fail
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/core/src/slice/index.rs:34:5
   3: tiff::decoder::DecodingResult::as_buffer
   4: tiff::decoder::Decoder<R>::read_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/src/decoder/mod.rs:1230:17
   5: <image::codecs::tiff::TiffDecoder<R> as image::image::ImageDecoder>::read_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/codecs/tiff.rs:222:15
   6: image::image::decoder_to_vec
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/image.rs:587:5
   7: image::dynimage::decoder_to_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1025:23
   8: image::dynimage::DynamicImage::from_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:175:9
   9: <image::io::free_functions::load_inner::LoadVisitor as image::io::free_functions::DecoderVisitor>::visit_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:107:13
  10: image::io::free_functions::load_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:64:37
  11: image::io::free_functions::load_inner
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:111:5
  12: image::io::free_functions::load
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:37:5
  13: image::dynimage::load_from_memory_with_format
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1221:5
  14: image::dynimage::load_from_memory
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1206:5
  15: clamav_rust::fuzzy_hash::fuzzy_hash_calculate_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/src/fuzzy_hash.rs:412:20
  16: fuzzy_hash_calculate_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/src/fuzzy_hash.rs:213:23
  17: calculate_fuzzy_image_hash
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:4088:10
  18: cli_magic_scan
  19: scan_common
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:5419:14
  20: cl_scandesc_callback
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:5595:14
  21: scanfile
             at /Users/davidlaxer/clamav-0.105.1/clamscan/manager.c:411:16
  22: scandirs
  23: scandirs
  24: scandirs
  25: scandirs
  26: scandirs
  27: scandirs
  28: scandirs
  29: scandirs
  30: scandirs
  31: scandirs
  32: scandirs
  33: scandirs
  34: scan_files
  35: scanmanager
             at /Users/davidlaxer/clamav-0.105.1/clamscan/manager.c:1625:15
  36: main
             at /Users/davidlaxer/clamav-0.105.1/clamscan/clamscan.c:171:11
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
fatal runtime error: failed to initiate panic, error 5
zsh: abort      RUST_BACKTRACE=1 clamscan -r -i --bell --exclude-dir=/Users/davidlaxer/clamav
(ai) davidlaxer@x86_64-apple-darwin13 build %
dbl001 commented 2 years ago

Could you check: Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND

/Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9/Wide.kth: Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND
/Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9_RTL/Wide.kth: Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND
mjbroekman commented 2 years ago

Not sure about the Xls.Downloader... that's a fuzzy_img match.

micahsnyder commented 2 years ago

@dbl001 this is not the right place to request help with false positive reports. If you haven't already submitted the FP report, pelase do so. Else please ask for help via the mailing list, or perhaps discord. The mailing list will get more attention though.

Edit: The team that owns and maintains the detection content is separate from my development team. I won't be able to help you very well, but there are engineers from that team who monitor the mailing list.

dbl001 commented 2 years ago 
LibClamAV debug: Checking realpath of /System/Volumes/Data/private/var/folders/3n/56fpv14n4wj0c1l1sb106pzw0000gn/T/20220810_073126-scantemp.20917697f0/tar-tmp.78691fd923/tar360
LibClamAV debug: cli_get_filepath_from_filedesc: File path for fd [15] is: /private/var/folders/3n/56fpv14n4wj0c1l1sb106pzw0000gn/T/20220810_073126-scantemp.20917697f0/tar-tmp.78691fd923/tar360
LibClamAV debug: Recognized TIFF Big Endian file
LibClamAV debug: cache_check: f691ac98b77439bb933b44cff53d8ac3 is negative
thread '<unnamed>' panicked at 'range start index 16380 out of range for slice of length 9660', /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/src/decoder/mod.rs:131:72
stack backtrace:
   0: rust_begin_unwind
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/std/src/panicking.rs:517:5
   1: core::panicking::panic_fmt
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/core/src/panicking.rs:100:14
   2: core::slice::index::slice_start_index_len_fail
             at /rustc/e1e9319d93aea755c444c8f8ff863b0936d7a4b6/library/core/src/slice/index.rs:34:5
   3: tiff::decoder::DecodingResult::as_buffer
   4: tiff::decoder::Decoder<R>::read_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/src/decoder/mod.rs:1230:17
   5: <image::codecs::tiff::TiffDecoder<R> as image::image::ImageDecoder>::read_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/codecs/tiff.rs:222:15
   6: image::image::decoder_to_vec
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/image.rs:587:5
   7: image::dynimage::decoder_to_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1025:23
   8: image::dynimage::DynamicImage::from_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:175:9
   9: <image::io::free_functions::load_inner::LoadVisitor as image::io::free_functions::DecoderVisitor>::visit_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:107:13
  10: image::io::free_functions::load_decoder
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:64:37
  11: image::io::free_functions::load_inner
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:111:5
  12: image::io::free_functions::load
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/io/free_functions.rs:37:5
  13: image::dynimage::load_from_memory_with_format
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1221:5
  14: image::dynimage::load_from_memory
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/.cargo/vendor/image/./src/dynimage.rs:1206:5
  15: clamav_rust::fuzzy_hash::fuzzy_hash_calculate_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/src/fuzzy_hash.rs:412:20
  16: fuzzy_hash_calculate_image
             at /Users/davidlaxer/clamav-0.105.1/libclamav_rust/src/fuzzy_hash.rs:213:23
  17: calculate_fuzzy_image_hash
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:4088:10
  18: cli_magic_scan
  19: scan_common
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:5419:14
  20: cl_scandesc_callback
             at /Users/davidlaxer/clamav-0.105.1/libclamav/scanners.c:5595:14
  21: scanfile
             at /Users/davidlaxer/clamav-0.105.1/clamscan/manager.c:411:16
  22: scandirs
  23: scandirs
  24: scandirs
  25: scandirs
  26: scandirs
  27: scandirs
  28: scandirs
  29: scandirs
  30: scandirs
  31: scandirs
  32: scandirs
  33: scandirs
  34: scan_files
  35: scanmanager
             at /Users/davidlaxer/clamav-0.105.1/clamscan/manager.c:1625:15
  36: main
             at /Users/davidlaxer/clamav-0.105.1/clamscan/clamscan.c:171:11
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
fatal runtime error: failed to initiate panic, error 5
zsh: abort      RUST_BACKTRACE=1 clamscan -r -i --debug --bell    /