[Bug 597875] Re: Clam freezes during recursive scan

Steve Beattie sbeattie at ubuntu.com
Thu Jun 24 07:54:16 BST 2010 

I can reproduce the pread() failures with clamscan from clamav 0.96.1
+dfsg-0ubuntu0.10.04.1 on lucid; however, all of the files reporting
errors occur on /sys which is the (default) location where the sysfs
filesystem is located. The sysfs filesystem is a synthetic filesystem
that exposes information about the system: buses, devices, cpus, etc. As
I said, it's a synthetic filesystem; that is, the contents of the
directories and files are generated by the kernel on the fly and in many
cases the amount of data reported may not be easily computable in
advance.

Thus, if you examine the files that clamscan is reporting errors about,
you'll see that they're usually 4096 bytes in size, and clamscan is
failing to read X number of bytes after having read 4096 - X bytes from
the file.

For the speculators, I've also verified by examining /var/log/kern.log
that these pread() failures are not the result of AppArmor rejections.

On my test system, I also reproduce the apparent hanging behavior, it's
stuck repeatedly trying to pread() from
/sys/devices/platform/vga16fb.0/graphics/fb0/bl_curve and not stopping
despite getting EINVAL returned, as the snippet from ptrace shows:

  pread(10, 0x7fd093dd6550, 14189025968, 18446744059520529744) = -1 EINVAL (Invalid argument)
  pread(10, 0x7fd093dd654f, 14189025969, 18446744059520529743) = -1 EINVAL (Invalid argument)
  pread(10, 0x7fd093dd654e, 14189025970, 18446744059520529742) = -1 EINVAL (Invalid argument)

 $ sudo ls -l /proc/15345/fd/10
  lr-x------ 1 root root 64 2010-06-23 23:37 /proc/15345/fd/10 -> /sys/devices/platform/vga16fb.0/graphics/fb0/bl_curve

Really, clamscan should be skipping sysfs filesystems; if your running
kernel is offering up trojaned or otherwise malicious files there, your
system is seriously compromised and whatever has been maliciously
injected into it would likely also be smart enough to behave normally
for something that looks like a virus/trojan scanner. OTOH, it could be
more sensible about how it behaves in the face of files that lie about
its size.

I've attached the output from my test run of clamscan, to show that
indeed, all the files I saw reported are under /sys aka sysfs.

** Attachment added: "clamscan.log"
   http://launchpadlibrarian.net/50835770/clamscan.log

-- 
Clam freezes during recursive scan
https://bugs.launchpad.net/bugs/597875
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to clamav in ubuntu.

More information about the Ubuntu-server-bugs mailing list