grsecurity forums

[texilee]

hi all,

I have some problem with clamav, sometimes the clamav-daemon crash.

machine Debian Sarge kernel 2.4.32, latest clamav deb pkg (problem found also in previous version)


from the syslog:


Sep 6 03:20:02 ns1 spamd[10124]: got connection over
/var/run/spamd/spamd.sock
Sep 6 03:20:02 ns1 spamd[10124]: processing message (unknown) for
clamav:106.
Sep 6 03:20:02 ns1 kernel: grsec: From 213.145.91.45: signal 11 sent to
/usr/sbin/clamd[clamd:19069] uid/euid:106/106 gid/egid:106/106, parent
/sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 6 03:20:03 ns1 qmail: 1189041603.493756 tcpserver: end 16883 status 0
Sep 6 03:20:03 ns1 qmail: 1189041603.493797 tcpserver: status: 6/40

and one week ago the same lines


/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:7672]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:14521]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:4270] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106 by /usr/sbin/clamd[clamd:3279] uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106

/var/log/syslog.6.gz:Aug 31 02:20:04 ns1 kernel: grsec: From 151.1.22.137: signal 11 sent to /usr/sbin/clamd[clamd:12904]
uid/euid:106/106 gid/egid:106/106, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /usr/sbin/clamd[clamd:3279]
uid/euid:106/106 gid/egid:106/106, parent /usr/sbin/clamd[clamd:12904] uid/euid:106/106 gid/egid:106/106


151.1.22.137 and 213.145.91.45 are trusted machine.



freshclam cron start every hours at h:20 (1:20, 2:20 ...) and problem was found at:

Sep 6 03:20:02

Aug 31 02:20:04

a few second after the virus list update


I have other mail server (Sarge qmail vpopmail clamav spamassassin) without pax/grsec that works fine.

what is the best way to debug this segmentation fault problem?

I will ask also to clamav developers the same question.

thanks

[PaX Team]

I have other mail server (Sarge qmail vpopmail clamav spamassassin) without pax/grsec that works fine.

how do you know they work fine? just because noone reports segfaults doesn't mean they don't occur .

what is the best way to debug this segmentation fault problem?

for a start, you'd have to find a reliable way to reproduce them, then you can debug it in gdb. short of that, you could enable coredumping for these processes (ulimit -c unlimited if you can run them from a shell or a script or maybe ask the developers to programmatically increase the core limit for these programs) then you wait for the coredumps to show up (make sure these programs run in a writable working directory or make use of /proc/sys/kernel/core_pattern) and analyze them in gdb.

[texilee]

thanks about reply, upgrade clamav to next release solve the issue!