debugging clamd segmentation fault after freshclam

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

debugging clamd segmentation fault after freshclam

Postby texilee » Fri Sep 07, 2007 8:01 am

hi all,

I have some problem with clamav, sometimes the clamav-daemon crash.

machine Debian Sarge kernel 2.4.32, latest clamav deb pkg (problem found also in previous version)


from the syslog:


Sep 6 03:20:02 ns1 spamd[10124]: got connection over
/var/run/spamd/spamd.sock
Sep 6 03:20:02 ns1 spamd[10124]: processing message (unknown) for
clamav:106.
Sep 6 03:20:02 ns1 kernel: grsec: From 213.145.91.45: signal 11 sent to
/usr/sbin/clamd[clamd:19069] uid/euid:106/106 gid/egid:106/106, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 6 03:20:03 ns1 qmail: 1189041603.493756 tcpserver: end 16883 status 0
Sep 6 03:20:03 ns1 qmail: 1189041603.493797 tcpserver: status: 6/40

and one week ago the same lines


/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:7672]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:14521]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:4270] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:12904]
uid/euid:106/106 gid/egid:106/106, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/clamd[clamd:3279]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106


151.1.22.137 and 213.145.91.45 are trusted machine.



freshclam cron start every hours at h:20 (1:20, 2:20 ...) and problem was found at:

Sep 6 03:20:02

Aug 31 02:20:04

a few second after the virus list update


I have other mail server (Sarge qmail vpopmail clamav spamassassin) without pax/grsec that works fine.

what is the best way to debug this segmentation fault problem?

I will ask also to clamav developers the same question.

thanks
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am

Re: debugging clamd segmentation fault after freshclam

Postby PaX Team » Fri Sep 21, 2007 4:48 pm

texilee wrote:I have other mail server (Sarge qmail vpopmail clamav spamassassin) without pax/grsec that works fine.
how do you know they work fine? just because noone reports segfaults doesn't mean they don't occur ;-).
what is the best way to debug this segmentation fault problem?
for a start, you'd have to find a reliable way to reproduce them, then you can debug it in gdb. short of that, you could enable coredumping for these processes (ulimit -c unlimited if you can run them from a shell or a script or maybe ask the developers to programmatically increase the core limit for these programs) then you wait for the coredumps to show up (make sure these programs run in a writable working directory or make use of /proc/sys/kernel/core_pattern) and analyze them in gdb.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby texilee » Mon Nov 26, 2007 6:16 am

thanks about reply, upgrade clamav to next release solve the issue!
texilee
 
Posts: 6
Joined: Wed Jun 15, 2005 3:26 am


Return to grsecurity support