Debian Bug report logs - #588599
/usr/bin/freshclam: freshclam tries to mmap() with READ/WRITE/EXECUTE access

version graph

Package: clamav-freshclam; Maintainer for clamav-freshclam is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav-freshclam is src:clamav.

Reported by: russell@coker.com.au

Date: Sat, 10 Jul 2010 04:51:02 UTC

Severity: normal

Found in version 0.96.1+dfsg-1~volatile1

Done: russell@coker.com.au

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#588599; Package clamav-freshclam. (Sat, 10 Jul 2010 04:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
New Bug report received and forwarded. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Sat, 10 Jul 2010 04:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/freshclam: freshclam tries to mmap() with READ/WRITE/EXECUTE access
Date: Sat, 10 Jul 2010 14:49:28 +1000
Package: clamav-freshclam
Version: 0.96.1+dfsg-1~volatile1
Severity: normal
File: /usr/bin/freshclam

type=AVC msg=audit(1278729355.797:22750): avc:  denied  { execmem } for  
pid=2649 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0 
tcontext=system_u:system_r:freshclam_t:s0 tclass=process
type=SYSCALL msg=audit(1278729355.797:22750): arch=c000003e syscall=9 
success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=2649 
auid=4294967295 uid=104 gid=108 euid=104 suid=104 fsuid=104 egid=108 sgid=108 
fsgid=108 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" 
subj=system_u:system_r:freshclam_t:s0 key=(null)

The above messages are logged when running this on a SE Linux system.  It
appears to work correctly anyway so it seems that the code has some fallback
option for if execmem is denied.

I can't think of a good reason for a program to have write/execute access to
memory when all it does is download data from the network.  Allowing such
access makes it easier for an attacker to gain control of the process and we
don't want to allow it if we can avoid it.


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "10485760"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
VirusEvent disabled
ExitOnOOM disabled
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "60000"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
ScanPDF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
ClamukoScanOnAccess disabled
ClamukoScannerCount = "3"
ClamukoScanOnOpen disabled
ClamukoScanOnClose disabled
ClamukoScanOnExec disabled
ClamukoIncludePath disabled
ClamukoExcludePath disabled
ClamukoMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize disabled
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav/"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
FixStaleSocket = "yes"
MaxThreads = "10"
ReadTimeout = "180"
Foreground disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
MaxFileSize = "26214400"
ClamdSocket = "unix:/var/run/clamav/clamd.ctl"
MilterSocket = "/var/run/clamav/milter.ctl"
MilterSocketGroup = "clamav"
MilterSocketMode = "666"
LocalNet disabled
OnClean = "Accept"
OnInfected = "Reject"
OnFail = "Defer"
RejectMsg disabled
AddHeader = "Replace"
ReportHostname disabled
VirusAction disabled
Chroot disabled
Whitelist disabled
SkipAuthenticated disabled
LogInfected = "Off"

Software settings
-----------------
Version: devel-debian/0.95+dfsg-1-6274-g18d94d0
WARNING: Version mismatch: libclamav=devel-debian/0.95+dfsg-1-6274-g18d94d0, 
clamconf=0.96.1
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 
JIT
Database directory: /var/lib/clamav/
WARNING: freshclam.conf and clamd.conf point to different database directories
main.cld: version 52, sigs: 704727, built on Mon Feb 15 14:54:51 2010
daily.cld: version 11347, sigs: 102318, built on Sat Jul 10 01:48:10 2010
bytecode.cld: version 31, sigs: 7, built on Thu Jul  8 16:46:51 2010

Platform information
--------------------
uname: Linux 2.6.18-194.3.1.el5xen #1 SMP Thu May 13 13:49:53 EDT 2010 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.3.3 (1.2.3.3), compile flags: a9

Build information
-----------------
GNU C: 4.3.2 (4.3.2)
GNU C++: 4.3.2 (4.3.2)
CPPFLAGS: 
CFLAGS: -Wall -g -O2
CXXFLAGS: -Wall -g -O2
LDFLAGS: 
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--
mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-clamav' '--with-
dbdir=/var/lib/clamav/' '--sysconfdir=/etc/clamav' '--enable-milter' '--
disable-clamuko' '--with-gnu-ld' '--enable-dns-fix' '--disable-unrar' '--
libdir=/usr/lib' '--with-system-tommath' '--with-ltdl-include=/usr/include' 
'--with-ltdl-lib=/usr/lib' '--config-cache' 'build_alias=x86_64-linux-gnu' 
'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS='

--- data dir ---
total 61592
-rw-r--r-- 1 clamav clamav    73728 Jul  8 17:35 bytecode.cld
-rw-r--r-- 1 clamav clamav  6222848 Jul 10 02:35 daily.cld
-rw-r--r-- 1 clamav clamav 56671744 Feb 15 17:27 main.cld
-rw------- 1 clamav clamav     2756 Jul 10 04:35 mirrors.dat

-- System Information:
Debian Release: squeeze/sid
  APT prefers lenny-backports
  APT policy: (500, 'lenny-backports'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-194.3.1.el5xen (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages clamav-freshclam depends on:
ii  clamav-base      0.96.1+dfsg-1~volatile1 anti-virus utility for Unix - 
base
ii  debconf [debconf 1.5.24                  Debian configuration management 
sy
ii  libc6            2.7-18lenny4            GNU C Library: Shared libraries
ii  libclamav6       0.96.1+dfsg-1~volatile1 anti-virus utility for Unix - 
libr
ii  logrotate        3.7.1-5                 Log rotation utility
ii  lsb-base         3.2-20                  Linux Standard Base 3.2 init 
scrip
ii  ucf              3.0016                  Update Configuration File: 
preserv
ii  zlib1g           1:1.2.3.3.dfsg-12       compression library - runtime

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
pn  clamav-docs                   <none>     (no description available)

-- debconf information:
  clamav-freshclam/http_proxy:
  clamav-freshclam/autoupdate_freshclam: daemon
  clamav-freshclam/proxy_user:
  clamav-freshclam/update_interval: 24
  clamav-freshclam/NotifyClamd: false
  clamav-freshclam/local_mirror: db.local.clamav.net
  clamav-freshclam/internet_interface:




Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#588599; Package clamav-freshclam. (Sat, 10 Jul 2010 07:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Sat, 10 Jul 2010 07:27:04 GMT) Full text and rfc822 format available.

Message #10 received at 588599@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: russell@coker.com.au, 588599@bugs.debian.org
Subject: Re: [Pkg-clamav-devel] Bug#588599: /usr/bin/freshclam: freshclam tries to mmap() with READ/WRITE/EXECUTE access
Date: Sat, 10 Jul 2010 08:24:44 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Russell Coker said:
> type=AVC msg=audit(1278729355.797:22750): avc:  denied  { execmem } for  
> pid=2649 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0 
> tcontext=system_u:system_r:freshclam_t:s0 tclass=process
> type=SYSCALL msg=audit(1278729355.797:22750): arch=c000003e syscall=9 
> success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=2649 
> auid=4294967295 uid=104 gid=108 euid=104 suid=104 fsuid=104 egid=108 sgid=108 
> fsgid=108 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" 
> subj=system_u:system_r:freshclam_t:s0 key=(null)
> 
> The above messages are logged when running this on a SE Linux system.  It
> appears to work correctly anyway so it seems that the code has some fallback
> option for if execmem is denied.
> 
> I can't think of a good reason for a program to have write/execute access to
> memory when all it does is download data from the network.

I agree.  Can you provide some help tracking it down?

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#588599; Package clamav-freshclam. (Mon, 12 Jul 2010 09:48:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Mon, 12 Jul 2010 09:48:10 GMT) Full text and rfc822 format available.

Message #15 received at 588599@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 588599@bugs.debian.org
Subject: tracking it down
Date: Mon, 12 Jul 2010 19:39:09 +1000
cli_bytecode_init_jit() in libclamav/c++/bytecode2llvm.cpp in the clamav 
source tree has the following:

    sys::MemoryBlock B = sys::Memory::AllocateRWX(4096, NULL, &ErrMsg);
    if (B.base() == 0) {
        errs() << MODULE << ErrMsg << "\n";
#ifdef __linux__
        errs() << MODULE << "SELinux is preventing 'execmem' access. Run 
'setsebool -P clamd_use_jit on' to allow access\n";
#endif
        errs() << MODULE << "falling back to interpreter mode\n";
        return 0;
    } else {
        sys::Memory::ReleaseRWX(B);
    }

The fact that the developers assumed that SE Linux is the only mechanism that 
prevents RWX access is interesting.

In the SE Linux policy the boolean in question only applies to the clamd_t 
domain not the freshclam_t domain, but for some reason freshclam uses the jit 
anyway.  Should we put in a dontaudit rule for freshclam_t (to silently deny 
execmem and force using the interpreter all the time) or include it in the 
boolean section so that it gets execmem access if clamd_t gets it?

Also on my system the error message about SE Linux doesn't seem to get written 
to the log file, so I only found it by reading the source.





Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#588599; Package clamav-freshclam. (Mon, 12 Jul 2010 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Mon, 12 Jul 2010 14:57:03 GMT) Full text and rfc822 format available.

Message #20 received at 588599@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 588599@bugs.debian.org
Cc: control@bugs.debian.org
Subject: closing this
Date: Tue, 13 Jul 2010 00:55:24 +1000
close 588599
thanks
http://marc.info/?l=selinux&m=127893898208934&w=2

At the above URL Török Edwin explains why both freshclam and clamd should have 
execmem access or lack it.  Therefore the existing SE Linux boolean should be 
used to control freshclam access to execmem as well.

I've already fixed this in a new policy package that I will upload soon so 
I'll just close this one.




Bug closed, send any further explanations to russell@coker.com.au Request was from Russell Coker <russell@coker.com.au> to control@bugs.debian.org. (Mon, 12 Jul 2010 14:57:04 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Aug 2010 07:36:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:30:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.