freshclam assert failure: *** stack smashing detected ***: terminated

Bug #2003864 reported by semih demir
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Confirmed
Medium
Ubuntu Security Team
tomsfastmath (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Error

ProblemType: Crash
DistroRelease: Ubuntu 23.04
Package: clamav-freshclam 0.103.7+dfsg-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-29.30-generic 5.19.17
Uname: Linux 5.19.0-29-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.24.0-0ubuntu2
Architecture: amd64
AssertionMessage: *** stack smashing detected ***: terminated
CasperMD5CheckResult: pass
CrashCounter: 1
Date: Wed Jan 25 14:26:46 2023
ExecutablePath: /usr/bin/freshclam
InstallationDate: Installed on 2022-12-29 (26 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
ProcAttrCurrent: /usr/bin/freshclam (enforce)
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-5.19.0-29-generic root=UUID=4719a9cb-1d2b-400f-9531-79e80c0dd51e ro quiet splash vt.handoff=7
ProcEnviron: Error: [Errno 13] Permission denied: 'environ'
ProcMaps: Error: [Errno 13] Permission denied: 'maps'
Signal: 6
SourcePackage: clamav
StacktraceTop:
 __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f3e0a5b9393 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
 __GI___fortify_fail (msg=msg@entry=0x7f3e0a5b937b "stack smashing detected") at ./debug/fortify_fail.c:26
 __stack_chk_fail () at ./debug/stack_chk_fail.c:24
 ?? () from /lib/x86_64-linux-gnu/libclamav.so.9
 ?? ()
Title: freshclam assert failure: *** stack smashing detected ***: terminated
UpgradeStatus: Upgraded to lunar on 2023-01-24 (0 days ago)
UserGroups: N/A
separator:

Revision history for this message
semih demir (hackersz) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 pthread_kill () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 raise () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 abort () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 ?? () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6
 __fortify_fail () from /tmp/apport_sandbox_g2zkvwu7/lib/x86_64-linux-gnu/libc.so.6

tags: removed: need-amd64-retrace
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f3e0a5b9393 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
 __GI___fortify_fail (msg=msg@entry=0x7f3e0a5b937b "stack smashing detected") at ./debug/fortify_fail.c:26
 __stack_chk_fail () at ./debug/stack_chk_fail.c:24
 ?? ()
 ?? ()

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in clamav (Ubuntu):
importance: Undecided → Medium
information type: Private Security → Public Security
Revision history for this message
Paride Legovini (paride) wrote :

Hello and thanks for this bug report. Couple you please provide us some more information about the crash, like:

1. What did you do to trigger it?
2. Is it reproducible?
3. Was clamav working fine before you upgraded to lunar?

Do the attached stacktrace and coredump contain any private information? If this is not the case then we'll make the bug public, unless you have other objections.

Thanks!

Changed in clamav (Ubuntu):
status: New → Incomplete
Revision history for this message
Eric Carvalho (eric-carvalho) wrote (last edit ):

This bug affects me, too.

Further information requested by Paride Legovini:

1. What did you do to trigger it?

    Run "sudo freshclam" to update virus database or "clamscan /path/to/file" to scan a file.

2. Is it reproducible?

    Yes, it happens every time I run freshclam or clamscan.

3. Was clamav working fine before you upgraded to lunar?

    Yes. I upgraded to lunar back in October when its repo got available. I think this bug started in late December or early January.

Commands output:

$ sudo freshclam
Fri Feb 10 09:31:41 2023 -> ClamAV update process started at Fri Feb 10 09:31:41 2023
Fri Feb 10 09:31:41 2023 -> daily database available for update (local version: 26759, remote version: 26808)
Current database is 49 versions behind.
Downloading database patch # 26760...
Time: 1.4s, ETA: 0.0s [========================>] 1.48KiB/1.48KiB
*** stack smashing detected ***: terminated
Aborted

$ clamscan Downloads/WinToUSB_Free.exe
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
*** stack smashing detected ***: terminated
Aborted (core dumped)

Should I open a new bug report?

Changed in clamav (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Eric Carvalho (eric-carvalho) wrote :

I submitted a bug report from a recently installed Ubuntu 23.04 (2023-02-10 08:19 daily live image). This time freshclam crashes with a segmentation fault.

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2006967

Revision history for this message
Lena Voytek (lvoytek) wrote :

I can confirm this happens on a fresh lunar install:

# lxc launch ubuntu-daily:lunar test-freshclam
# lxc exec test-freshclam bash
# apt update && apt dist-upgrade -y
# apt install clamav
# freshclam

Mon Feb 13 17:29:24 2023 -> ClamAV update process started at Mon Feb 13 17:29:24 2023
Mon Feb 13 17:29:24 2023 -> daily database available for download (remote version: 26811)
Time: 1.8s, ETA: 0.0s [========================>] 57.91MiB/57.91MiB
Segmentation fault (core dumped)

Likewise, running again with a cooldown still triggers it:

...
Mon Feb 13 18:28:41 2023 -> ^You are on cool-down until after: 2023-02-14 17:37:00
Mon Feb 13 18:28:41 2023 -> bytecode database available for download (remote version: 333)
Time: 0.4s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB
Segmentation fault (core dumped)

I couldn't find any reported issues upstream that are related to this, but it seems most likely this is due to the merge from debian from 0.103.6+dfsg-1ubuntu1 to 0.103.7+dfsg-1ubuntu1

tags: added: server-todo
Revision history for this message
Alex Murray (alexmurray) wrote :

FWIW I was able to get the following backtrace from this crash:

(gdb) bt full
#0 s_fp_sub (a=0x7ffe3ea481a0, b=<optimized out>, c=0x7ffe3ea481a0) at src/addsub/s_fp_sub.c:30
        x = <optimized out>
        oldbused = <optimized out>
        oldused = 483582409
        t = <optimized out>
#1 0x00007fa0134db9e1 in fp_add (a=a@entry=0x7ffe3ea48640, b=b@entry=0x7ffe3ea481a0, c=c@entry=0x7ffe3ea481a0)
    at src/addsub/fp_add.c:36
        sa = 0
        sb = <optimized out>
#2 0x00007fa013f4fd9a in cli_decodesig (sig=<optimized out>, plen=16, e=..., n=...)
    at /build/clamav-BVgrQT/clamav-0.103.7+dfsg/libclamav/dsig.c:81
        i = <optimized out>
        slen = <optimized out>
        dec = <optimized out>
        plain = <optimized out>
        r = {dp = {20, 0 <repeats 71 times>}, used = 0, sign = 0}
        p = {dp = {7523094288207667809, 8101815670912281193, 8680537053616894577, 5063528411713075833,
            5642249794417674311, 6220971177122287695, 3689065128513853527, 3398873257388422452,
            14252546126433011493, 3628442678755211665, 2712605966946181364, 15277839593839420578,
            8694802841658813312, 5686060832697987328, 12525307746306663233, 3694540437919755632,
            16682102428094490919, 5631266801228481616, 14061618276812491434, 12197667988407176409,
            11079511681014219552, 3404728260627231669, 13043412223414144931, 8832037575717677253,
            6256736375726068327, 1492754453746096941, 2099850458381573509, 9306592184907088834,
            6237175487325309377, 10120151704950850987, 11851618273230141658, 11300675668428630678,
            17403472256060924040, 689431326608835423, 13397809209459187972, 16470382282525004697,
            4147042843502184282, 3335726350839652177, 17704539718282564709, 9328568386471887118,
            3029035003742963202, 3721060635362210435, 15422113546084857351, 5242631485635193648,
            5585345812499149634, 11028124888168443482, 12505072684500331840, 6166804767040247584,
            8327969952893387040, 12531736269459262785, 3930243339632379563, 200911044503768884,
            6073254765277986521, 9023911194406650026, 17641743940052621905, 6378363933382259647,
            4892725150097842880, 1681410646275668659, 7878974849415667176, 11790566601723893973,
            8719326998705976687, 7181653255783712, 2973234752302277065, 14834633410307321860,
            8450598079591262979, 11835167384365632637, 12126364641900763477, 3130395059942365217,
            3068322677788637080, 12426936100189987562, 4784747591849508306, 13164285774797318797},
          used = 449974006, sign = -2091867690}
        c = {dp = {18446744073709551596, 18446744073709551615 <repeats 71 times>}, used = -1, sign = -1}
#3 0x0000000000000000 in ?? ()
No symbol table info available.

Revision history for this message
Alex Murray (alexmurray) wrote :

This crash seems to be from libtfm

Revision history for this message
Eric Carvalho (eric-carvalho) wrote :

I can confirm this is a problem in libtfm. I installed libtfm1 (0.13-4.1) from kinetic repository. Freshclam runs correctly now:

$ sudo dpkg -i Downloads/libtfm1_0.13-4.1_amd64.deb
dpkg: warning: downgrading libtfm1:amd64 from 0.13.1-1 to 0.13-4.1
(Reading database ... 255083 files and directories currently installed.)
Preparing to unpack .../libtfm1_0.13-4.1_amd64.deb ...
Unpacking libtfm1:amd64 (0.13-4.1) over (0.13.1-1) ...
Setting up libtfm1:amd64 (0.13-4.1) ...
Processing triggers for libc-bin (2.36-0ubuntu4) ...

$ sudo freshclam
Tue Feb 14 13:57:52 2023 -> ClamAV update process started at Tue Feb 14 13:57:52 2023
Tue Feb 14 13:57:52 2023 -> daily database available for update (local version: 26759, remote version: 26812)
Current database is 53 versions behind.
Downloading database patch # 26760...
Time: 1.3s, ETA: 0.0s [========================>] 1.48KiB/1.48KiB

### LOTS OF DOWNLOADS

Downloading database patch # 26812...
Time: 0.4s, ETA: 0.0s [========================>] 14.29KiB/14.29KiB
Tue Feb 14 13:58:21 2023 -> Testing database: '/var/lib/clamav/tmp.24bf72ffd7/clamav-2612b7e0fbdb3a18bf680780eff04d81.tmp-daily.cld' ...
Tue Feb 14 13:58:26 2023 -> Database test passed.
Tue Feb 14 13:58:26 2023 -> daily.cld updated (version: 26812, sigs: 2020880, f-level: 90, builder: raynman)
Tue Feb 14 13:58:26 2023 -> main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Tue Feb 14 13:58:26 2023 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Tue Feb 14 13:58:26 2023 -> !NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf

Changed in tomsfastmath (Ubuntu):
status: New → Confirmed
Changed in clamav (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Alex Murray (alexmurray) wrote :

FWIW I can't reproduce this on a debian sid install of clamav which also uses the same version of libtfm / tomsfastmath. However, Debian is using a newer version of clamav than Ubuntu 23.04 so perhaps this may be fixed by merging that version to Ubuntu (or perhaps even a no-change rebuild of clamav in lunar against the new tomsfastmath may also be enough since it was updated after clamav was merged from Debian back in November).

Revision history for this message
Eric Carvalho (eric-carvalho) wrote :

I installed, in Ubuntu 23.04, the following packages from Debian bookworm: clamav, clamav-base, libclamav11 and clamav-freshclam, version 1.0.0+dfsg-6. There's no crash using libtfm1 version 0.13.1-1 from lunar.

Revision history for this message
Alex Murray (alexmurray) wrote :

Looking at the upstream repo for clamav I suspect the following commit is required to be backported to clamav in lunar https://github.com/Cisco-Talos/clamav/commit/375ecf678c714623e6fb5c0119d1bec98dc700dd - or that a merge is done of clamav-1.0.0+dfsg-6 to lunar.

The merge is likely the best option I suspect.

Changed in clamav (Ubuntu):
status: Invalid → Confirmed
Changed in tomsfastmath (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I agree, but since clamav is a regular full version backport I wanted to warn to take extra considerations checking if the new rust components will work back in time or if they need to be disabled (at least on the backports).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hey security, you usually do MREs of clamav anyway, do you plan to tackle this anytime soon?
Assigning you to have a look.

Changed in clamav (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Alex Murray (alexmurray) wrote (last edit ):

Turns out clamav-1.0.0 includes a transition from libclamav9 -> libclamav11 so this is taking a bit longer than expected - but I will keep plugging away.

Also this version currently FTBFS on armhf so I am looking into that as well.

tags: removed: server-todo
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.