grsecurity forums

[hanji]

So, I've been struggling with clamd crashing after 6/28/2010. I've contacted clamav, and issued a bug, and they're working on a fix.

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092
http://forums.gentoo.org/viewtopic-p-6335986.html

I'm currently running hardened-sources (2.6.28-hardened-r9), and apparently there are issues with executing RWX memory. I get the following errors during the crash:

Code: Select all

Jun 29 18:57:23 comp kernel: PAX: From xxx.xxx.xxx.xxx: execution attempt in: <anonymous mapping>, 47755000-47808000 47755000
Jun 29 18:57:23 comp kernel: PAX: terminating task: /usr/sbin/clamd(clamd):12689, uid/euid: 105/105, PC: 4777c6d0, SP: 46f172ec
Jun 29 18:57:23 comp kernel: PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 d4 fe ff ff 83 c4 04 c3 b3 04 00 00
Jun 29 18:57:23 comp kernel: PAX: bytes at SP-4:
Jun 29 18:57:53 comp kernel: PAX: execution attempt in: <anonymous mapping>, 4330c000-43b98000 4330c000
Jun 29 18:57:53 comp kernel: PAX: terminating task: /usr/bin/clamscan(clamscan):12791, uid/euid: 105/105, PC: 43b0c6d0, SP: 5a92129c
Jun 29 18:57:53 comp kernel: PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 d4 fe ff ff 83 c4 04 c3 b3 04 00 00
Jun 29 18:57:53 comp kernel: PAX: bytes at SP-4:

While, they're working on the fix, I would love to have something in place.. so I have clamav, without removing PAX/Grsecurity from the kernel. I saw people using paxctl -m /usr/sbin/clamd to address this, but this does not work for me. I currently have the following flags used on paxctl...

Code: Select all

- PaX flags: -p-s-m-x-e-- [/usr/sbin/clamd]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled

I also tried to adjust clamscan..

Code: Select all

- PaX flags: -p-s-m-x-e-- [/usr/bin/clamscan]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled

It also appears to happen when clam updates (freshclam), and I started clamd without freshclam.. and I'm still getting the intermittent crashes. The logs indicate that it's clamd and clamscan, so I didn't not adjust flags for freshclam.

Can anyone help with a solution so I can get clamav running while they sort out this issue? On that note, I have to mention, that the bug was introduced with dat update.. not a new build of clamav, etc. This version was working fine for sometime until yesterday.

Thanks in advance!
hanji

[PaX Team]

there're a few questions/issues here to clear up .

1. i need to see your PaX kernel config to understand what you enabled/disabled.

2. assuming you enabled most features under NOEXEC and also use the PT_PAX_FLAGS marking, paxctl -m is the way to allow a program to generate code at runtime. IOW, if clamav still crashes after that, you're either not using PT_PAX_FLAGS (we'll see it from your config), or clamav is generating code at runtime in an improper way (it puts code into !PROT_EXEC memory). based on some quick grepping in its sources and also your strace on the gentoo forum, i think it does ask for PROT_EXEC when it needs it (that llvm based stuff), so disabling MPROTECT should be enough to get it to work. you can verify that clamav processes run without MPROTECT by looking at /proc/pid/status and the PaX line it, please post it.

3. if you disable all PaX features on a binary, there's no way it can trigger a PaX kill so i'm quite puzzled at how you got that result .

4. just as a sidenote, try to use a newer kernel, we're supporting only .32 and whatever is the latest stable vanilla kernel.

[aeonflux]

I'm having this exact same issue on a production webserver running moodle.

# clamscan zip.000
Killed

grsec: From 10.2.220.253: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/clamscan[clamscan:3361] uid/euid:81/81 gid/egid:81/81, parent /bin/bash[sh:3360] uid/euid:81/81 gid/egid:81/81
PAX: execution attempt in: <anonymous mapping>, 455eb000-45ea5000 455eb000
PAX: terminating task: /usr/bin/clamscan(clamscan):3369, uid/euid: 81/81, PC: 45debbe0, SP: 5b2645ec
PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 34 fe ff ff 83 c4 04 c3 23 17 00 00
PAX: bytes at SP-4:
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/clamscan[clamscan:3369] uid/euid:81/81 gid/egid:81/81, parent /bin/bash[sh:3368] uid/euid:81/81 gid/egid:81/81

I've disabled all of the grsecurity options.

# chpax -v /usr/bin/clamscan

----[ chpax 0.7 : Current flags for /usr/bin/clamscan (pemrxs) ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled

And it still dies.

# clamscan -V
ClamAV 0.96.1/11465/Fri Jul 30 08:43:50 2010

# gcc-config -l
[1] i686-pc-linux-gnu-3.4.6
[2] i686-pc-linux-gnu-3.4.6-hardened
[3] i686-pc-linux-gnu-3.4.6-hardenednopie
[4] i686-pc-linux-gnu-3.4.6-hardenednopiessp
[5] i686-pc-linux-gnu-3.4.6-hardenednossp
[6] i686-pc-linux-gnu-4.1.2 *

Compiled with the vanilla compiler.

[aeonflux]

I'm having this exact same issue on a production webserver running moodle.

# clamscan zip.000
Killed

grsec: From 10.2.220.253: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/clamscan[clamscan:3361] uid/euid:81/81 gid/egid:81/81, parent /bin/bash[sh:3360] uid/euid:81/81 gid/egid:81/81
PAX: execution attempt in: <anonymous mapping>, 455eb000-45ea5000 455eb000
PAX: terminating task: /usr/bin/clamscan(clamscan):3369, uid/euid: 81/81, PC: 45debbe0, SP: 5b2645ec
PAX: bytes at PC: 83 ec 04 8b 4c 24 08 e8 34 fe ff ff 83 c4 04 c3 23 17 00 00
PAX: bytes at SP-4:
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/clamscan[clamscan:3369] uid/euid:81/81 gid/egid:81/81, parent /bin/bash[sh:3368] uid/euid:81/81 gid/egid:81/81

I've disabled all of the grsecurity options.

# chpax -v /usr/bin/clamscan

----[ chpax 0.7 : Current flags for /usr/bin/clamscan (pemrxs) ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled

And it still dies.

# clamscan -V
ClamAV 0.96.1/11465/Fri Jul 30 08:43:50 2010

# gcc-config -l
[1] i686-pc-linux-gnu-3.4.6
[2] i686-pc-linux-gnu-3.4.6-hardened
[3] i686-pc-linux-gnu-3.4.6-hardenednopie
[4] i686-pc-linux-gnu-3.4.6-hardenednopiessp
[5] i686-pc-linux-gnu-3.4.6-hardenednossp
[6] i686-pc-linux-gnu-4.1.2 *

Compiled with the vanilla compiler.

I was able to resolve the issue by using 'paxctl'

# paxctl -v clamscan
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [clamscan]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled

# clamscan zip.000
zip.000: OK

----------- SCAN SUMMARY -----------
Known viruses: 812417
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
Data read: 0.02 MB (ratio 1.83:1)
Time: 6.249 sec (0 m 6 s)

Alright now time to figure out exactly which specific flags I need to have enabled and which I don't.

[aeonflux]

2. assuming you enabled most features under NOEXEC and also use the PT_PAX_FLAGS marking, paxctl -m is the way to allow a program to generate code at runtime. IOW, if clamav still crashes after that, you're either not using PT_PAX_FLAGS (we'll see it from your config), or clamav is generating code at runtime in an improper way (it puts code into !PROT_EXEC memory). based on some quick grepping in its sources and also your strace on the gentoo forum, i think it does ask for PROT_EXEC when it needs it (that llvm based stuff), so disabling MPROTECT should be enough to get it to work. you can verify that clamav processes run without MPROTECT by looking at /proc/pid/status and the PaX line it, please post it.

I can confirm this.

# paxctl -v /usr/bin/clamscan
- PaX flags: P-S--mX-E-R- [/usr/bin/clamscan]
PAGEEXEC is enabled
SEGMEXEC is enabled
MPROTECT is disabled
RANDEXEC is enabled
EMUTRAMP is enabled
RANDMMAP is enabled

IE, paxctl -m /usr/bin/clamscan only.. works fine. Perhaps this change should be made to the clamav ebuild?