freshclam assert failure: *** stack smashing detected ***: terminated

StacktraceTop:
 pthread_kill () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 raise () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 abort () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 ?? () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 __fortify_fail () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6

StacktraceTop:
 __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f3e0a5b9393 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
 __GI___fortify_fail (msg=msg@entry=0x7f3e0a5b937b "stack smashing detected") at ./debug/fortify_fail.c:26
 __stack_chk_fail () at ./debug/stack_chk_fail.c:24
 ?? ()
 ?? ()

Hello and thanks for this bug report. Couple you please provide us some more information about the crash, like:

1. What did you do to trigger it?
2. Is it reproducible?
3. Was clamav working fine before you upgraded to lunar?

Do the attached stacktrace and coredump contain any private information? If this is not the case then we'll make the bug public, unless you have other objections.

Thanks!

This bug affects me, too.

Further information requested by Paride Legovini:

1. What did you do to trigger it?

    Run "sudo freshclam" to update virus database or "clamscan /path/to/file" to scan a file.

2. Is it reproducible?

    Yes, it happens every time I run freshclam or clamscan.

3. Was clamav working fine before you upgraded to lunar?

    Yes. I upgraded to lunar back in October when its repo got available. I think this bug started in late December or early January.

Commands output:

$ sudo freshclam
Fri Feb 10 09:31:41 2023 -> ClamAV update process started at Fri Feb 10 09:31:41 2023
Fri Feb 10 09:31:41 2023 -> daily database available for update (local version: 26759, remote version: 26808)
Current database is 49 versions behind.
Downloading database patch # 26760...
Time: 1.4s, ETA: 0.0s [========================>] 1.48KiB/1.48KiB
*** stack smashing detected ***: terminated
Aborted

$ clamscan Downloads/WinToUSB_Free.exe
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
*** stack smashing detected ***: terminated
Aborted (core dumped)

Should I open a new bug report?

I submitted a bug report from a recently installed Ubuntu 23.04 (2023-02-10 08:19 daily live image). This time freshclam crashes with a segmentation fault.

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2006967

I can confirm this happens on a fresh lunar install:

# lxc launch ubuntu-daily:lunar test-freshclam
# lxc exec test-freshclam bash
# apt update && apt dist-upgrade -y
# apt install clamav
# freshclam

Mon Feb 13 17:29:24 2023 -> ClamAV update process started at Mon Feb 13 17:29:24 2023
Mon Feb 13 17:29:24 2023 -> daily database available for download (remote version: 26811)
Time: 1.8s, ETA: 0.0s [========================>] 57.91MiB/57.91MiB
Segmentation fault (core dumped)

Likewise, running again with a cooldown still triggers it:

...
Mon Feb 13 18:28:41 2023 -> ^You are on cool-down until after: 2023-02-14 17:37:00
Mon Feb 13 18:28:41 2023 -> bytecode database available for download (remote version: 333)
Time: 0.4s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB
Segmentation fault (core dumped)

I couldn't find any reported issues upstream that are related to this, but it seems most likely this is due to the merge from debian from 0.103.6+dfsg-1ubuntu1 to 0.103.7+dfsg-1ubuntu1

FWIW I was able to get the following backtrace from this crash:

(gdb) bt full
#0 s_fp_sub (a=0x7ffe3ea481a0, b=<optimized out>, c=0x7ffe3ea481a0) at src/addsub/s_fp_sub.c:30
        x = <optimized out>
        oldbused = <optimized out>
        oldused = 483582409
        t = <optimized out>
#1 0x00007fa0134db9e1 in fp_add (a=a@entry=0x7ffe3ea48640, b=b@entry=0x7ffe3ea481a0, c=c@entry=0x7ffe3ea481a0)
    at src/addsub/fp_add.c:36
        sa = 0
        sb = <optimized out>
#2 0x00007fa013f4fd9a in cli_decodesig (sig=<optimized out>, plen=16, e=..., n=...)
    at /build/clamav-BVgrQT/clamav-0.103.7+dfsg/libclamav/dsig.c:81
        i = <optimized out>
        slen = <optimized out>
        dec = <optimized out>
        plain = <optimized out>
        r = {dp = {20, 0 <repeats 71 times>}, used = 0, sign = 0}
        p = {dp = {7523094288207667809, 8101815670912281193, 8680537053616894577, 5063528411713075833,
            5642249794417674311, 6220971177122287695, 3689065128513853527, 3398873257388422452,
            14252546126433011493, 3628442678755211665, 2712605966946181364, 15277839593839420578,
            8694802841658813312, 5686060832697987328, 12525307746306663233, 3694540437919755632,
            16682102428094490919, 5631266801228481616, 14061618276812491434, 12197667988407176409,
            11079511681014219552, 3404728260627231669, 13043412223414144931, 8832037575717677253,
            6256736375726068327, 1492754453746096941, 2099850458381573509, 9306592184907088834,
            6237175487325309377, 10120151704950850987, 11851618273230141658, 11300675668428630678,
            17403472256060924040, 689431326608835423, 13397809209459187972, 16470382282525004697,
            4147042843502184282, 3335726350839652177, 17704539718282564709, 9328568386471887118,
            3029035003742963202, 3721060635362210435, 15422113546084857351, 5242631485635193648,
            5585345812499149634, 11028124888168443482, 12505072684500331840, 6166804767040247584,
            8327969952893387040, 12531736269459262785, 3930243339632379563, 200911044503768884,
            6073254765277986521, 9023911194406650026, 17641743940052621905, 6378363933382259647,
            4892725150097842880, 1681410646275668659, 7878974849415667176, 11790566601723893973,
            8719326998705976687, 7181653255783712, 2973234752302277065, 14834633410307321860,
            8450598079591262979, 11835167384365632637, 12126364641900763477, 3130395059942365217,
            3068322677788637080, 12426936100189987562, 4784747591849508306, 13164285774797318797},
          used = 449974006, sign = -2091867690}
        c = {dp = {18446744073709551596, 18446744073709551615 <repeats 71 times>}, used = -1, sign = -1}
#3 0x0000000000000000 in ?? ()
No symbol table info available.

This crash seems to be from libtfm

I can confirm this is a problem in libtfm. I installed libtfm1 (0.13-4.1) from kinetic repository. Freshclam runs correctly now:

$ sudo dpkg -i Downloads/libtfm1_0.13-4.1_amd64.deb
dpkg: warning: downgrading libtfm1:amd64 from 0.13.1-1 to 0.13-4.1
(Reading database ... 255083 files and directories currently installed.)
Preparing to unpack .../libtfm1_0.13-4.1_amd64.deb ...
Unpacking libtfm1:amd64 (0.13-4.1) over (0.13.1-1) ...
Setting up libtfm1:amd64 (0.13-4.1) ...
Processing triggers for libc-bin (2.36-0ubuntu4) ...

$ sudo freshclam
Tue Feb 14 13:57:52 2023 -> ClamAV update process started at Tue Feb 14 13:57:52 2023
Tue Feb 14 13:57:52 2023 -> daily database available for update (local version: 26759, remote version: 26812)
Current database is 53 versions behind.
Downloading database patch # 26760...
Time: 1.3s, ETA: 0.0s [========================>] 1.48KiB/1.48KiB

### LOTS OF DOWNLOADS

Downloading database patch # 26812...
Time: 0.4s, ETA: 0.0s [========================>] 14.29KiB/14.29KiB
Tue Feb 14 13:58:21 2023 -> Testing database: '/var/lib/clamav/tmp.24bf72ffd7/clamav-2612b7e0fbdb3a18bf680780eff04d81.tmp-daily.cld' ...
Tue Feb 14 13:58:26 2023 -> Database test passed.
Tue Feb 14 13:58:26 2023 -> daily.cld updated (version: 26812, sigs: 2020880, f-level: 90, builder: raynman)
Tue Feb 14 13:58:26 2023 -> main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Tue Feb 14 13:58:26 2023 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Tue Feb 14 13:58:26 2023 -> !NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf

FWIW I can't reproduce this on a debian sid install of clamav which also uses the same version of libtfm / tomsfastmath. However, Debian is using a newer version of clamav than Ubuntu 23.04 so perhaps this may be fixed by merging that version to Ubuntu (or perhaps even a no-change rebuild of clamav in lunar against the new tomsfastmath may also be enough since it was updated after clamav was merged from Debian back in November).

I installed, in Ubuntu 23.04, the following packages from Debian bookworm: clamav, clamav-base, libclamav11 and clamav-freshclam, version 1.0.0+dfsg-6. There's no crash using libtfm1 version 0.13.1-1 from lunar.

Looking at the upstream repo for clamav I suspect the following commit is required to be backported to clamav in lunar https://github.com/Cisco-Talos/clamav/commit/375ecf678c714623e6fb5c0119d1bec98dc700dd - or that a merge is done of clamav-1.0.0+dfsg-6 to lunar.

The merge is likely the best option I suspect.

I agree, but since clamav is a regular full version backport I wanted to warn to take extra considerations checking if the new rust components will work back in time or if they need to be disabled (at least on the backports).

Hey security, you usually do MREs of clamav anyway, do you plan to tackle this anytime soon?
Assigning you to have a look.

Turns out clamav-1.0.0 includes a transition from libclamav9 -> libclamav11 so this is taking a bit longer than expected - but I will keep plugging away.

Also this version currently FTBFS on armhf so I am looking into that as well.