#902899 clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update

Package:
clamav-daemon
Source:
clamav
Description:
anti-virus utility for Unix - scanner daemon
Submitter:
Bernhard Schmidt
Date:
2021-10-14 17:21:07 UTC
Severity:
important
Tags:
#902899#5
Date:
2018-07-03 07:04:21 UTC
From:
To:
Hi,

after upgrading my Stretch mailserver with the packages from stretch-proposed-updates
clamav-daemon dies with the following error message

root@mail:~# systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           └─extend.conf
   Active: failed (Result: signal) since Tue 2018-07-03 07:40:12 CEST; 1h 18min ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
https://www.clamav.net/documents/
  Process: 21927 ExecStart=/usr/sbin/clamd --foreground=true (code=killed, signal=ABRT)
  Process: 21923 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
  Process: 21922 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
 Main PID: 21927 (code=killed, signal=ABRT)

Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully
Jul 03 07:30:36 mail clamd[21927]: Tue Jul  3 07:30:36 2018 -> Database correctly reloaded (6790696 signatures)
Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed.
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=6/ABRT
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Unit entered failed state.
Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Failed with result 'signal'.

0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1

This is probably related to using third-party signatures, but still a regression.

Best Regards,
Bernhard
--- data dir ---
total 471560
-rw-r--r-- 1 clamav clamav     10889 Mar  6 22:55 EK_Angler.yar
-rw-r--r-- 1 clamav clamav     14659 Mar  6 22:55 EK_Blackhole.yar
-rw-r--r-- 1 clamav clamav      3401 Mar  6 22:55 EK_BleedingLife.yar
-rw-r--r-- 1 clamav clamav      1349 Mar  6 22:55 EK_Crimepack.yar
-rw-r--r-- 1 clamav clamav      4688 Mar  6 22:55 EK_Eleonore.yar
-rw-r--r-- 1 clamav clamav      8268 Mar  6 22:55 EK_Fragus.yar
-rw-r--r-- 1 clamav clamav     16842 Mar  6 22:55 EK_Phoenix.yar
-rw-r--r-- 1 clamav clamav      1860 Mar  6 22:55 EK_Sakura.yar
-rw-r--r-- 1 clamav clamav      8488 Mar  6 22:55 EK_ZeroAcces.yar
-rw-r--r-- 1 clamav clamav      1435 Mar  6 22:55 EK_Zerox88.yar
-rw-r--r-- 1 clamav clamav       800 Mar  6 22:55 EK_Zeus.yar
-rw-r--r-- 1 clamav clamav      1462 Jul  1  2015 Sanesecurity_sigtest.yara
-rw-r--r-- 1 clamav clamav      1233 Feb 22  2016 Sanesecurity_spam.yara
-rw-r--r-- 1 clamav clamav     47013 Mar  6 22:55 antidebug_antivm.yar
-rw-r--r-- 1 clamav clamav   7519880 Jul  3 07:11 blurl.ndb
-rw-r--r-- 1 clamav clamav      1770 Jul  1 03:02 bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamav clamav       128 Jun 28 03:03 bofhland_malware_URL.ndb
-rw-r--r-- 1 clamav clamav    106188 Mar  6 22:03 bofhland_malware_attach.hdb
-rw-r--r-- 1 clamav clamav      2766 Jul  2 21:02 bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamav clamav    947712 Jun 22 17:10 bytecode.cld
drwxr-xr-x 2 clamav clamav      4096 May 12  2013 clamav-0a47a4a7b96ec68cefacb0290f91268b
-rw-r--r-- 1 clamav clamav 143277568 Jul  3 07:30 daily.cld
-rw-r--r-- 1 clamav clamav    137631 Jun 29 10:10 foxhole_filename.cdb
-rw-r--r-- 1 clamav clamav     51613 Mar 26 15:11 foxhole_generic.cdb
-rw-r--r-- 1 clamav clamav     48176 Aug  5  2015 hackingteam.hsb
-rw-r--r-- 1 clamav clamav   7111512 Jul  2 09:15 junk.ndb
-rw-r--r-- 1 clamav clamav   1568640 Jul  3 07:11 jurlbl.ndb
-rw-r--r-- 1 clamav clamav 307499008 Jun  7  2017 main.cld
-rw-r--r-- 1 clamav clamav     73808 Jun 29  2017 malwarehash.hsb
-rw-r--r-- 1 clamav clamav      3900 Jul  3 08:30 mirrors.dat
-rw-r--r-- 1 clamav clamav   4038222 Jun 29 11:09 phish.ndb
-rw-r--r-- 1 clamav clamav   5108426 Jul  1 11:01 phishtank.ndb
-rw-r--r-- 1 clamav clamav     24284 Jul  3 05:01 porcupine.hsb
-rw-r--r-- 1 clamav clamav    341666 Jul  3 07:01 porcupine.ndb
-rw-r--r-- 1 clamav clamav    848077 May  9 07:36 rfxn.hdb
-rw-r--r-- 1 clamav clamav    450812 Jun 20 19:08 rfxn.ndb
-rw-r--r-- 1 clamav clamav    490895 Jul  2 16:11 rogue.hdb
-rw-r--r-- 1 clamav clamav     11098 Oct 18  2016 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav   1895835 Jun 26 22:12 scam.ndb
-rw-r--r-- 1 clamav clamav       328 Jun 12 14:10 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav      1391 Apr 28  2017 spamattach.hdb
-rw-r--r-- 1 clamav clamav     15182 Jun 19 10:11 spamimg.hdb
-rw-r--r-- 1 clamav clamav    526635 Mar  5 09:00 winnow.attachments.hdb
-rw-r--r-- 1 clamav clamav        66 Mar  5 09:00 winnow_bad_cw.hdb
-rw-r--r-- 1 clamav clamav     16271 Mar  5 09:00 winnow_extended_malware.hdb
-rw-r--r-- 1 clamav clamav     18189 Mar  5 09:00 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav      3782 Mar  5 09:00 winnow_malware.yara
-rw-r--r-- 1 clamav clamav    506160 Jun 26 12:27 winnow_malware_links.ndb

#902899#10
Date:
2018-07-03 07:16:18 UTC
From:
To:
There is a bugreport in the unofficial-sigs repo stating the same, the
workaround is to disable the yara rules

#902899#17
Date:
2018-07-04 12:00:47 UTC
From:
To:
okay. It is not just "probably". Could you please make the file
available? I will try to forwarded it to clamav upstream and see what
they intend to do about it. The progress on the github issue looks
stale.

Sebastian

#902899#22
Date:
2018-07-05 20:54:58 UTC
From:
To:
On 04.07.2018 14:00, Sebastian Andrzej Siewior wrote:

Hi Sebastian,

Attached. Note that antidebug_antivm.yar is the one with the errors on
loading, but the actual assertion is later when the first (?) mail is
processed with clamd. So it might be related to any of the .yara? files.

Thanks for looking into this.

Bernhard

#902899#27
Date:
2018-07-05 21:44:46 UTC
From:
To:
control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=12077
Hi Bernhard,

While trying to forward this upstream I found a report :) So upstream
wants to address it but has no timeline. It considers the rule file as
broken and it doesn't work bug now clamav actually complains.

I suggest you remove the offending file. I have no other recommendation.

Sebastian

#902899#34
Date:
2018-07-05 21:52:31 UTC
From:
To:
On 05.07.2018 23:44, Sebastian Andrzej Siewior wrote:

Hi Sebastian,

I totally agree and I have already done this. I have filed a bug because
I assume this will hit at least some people on the next Stretch point
release hard. Not sure whether one can workaround this in clamav (and it
might already be too late).

Bernhard

#902899#39
Date:
2018-07-06 12:35:16 UTC
From:
To:
Hi Bernhard,

Today is last day I guess due to the freeze for the point release. I
sneaked into a fix for removed options but I think this is it. I have
currently no idea where to start working around the yara thing. It is
known by both upstram sides (clamav and unofficial-sigs) since April or
so and there was no progress since. And I can't change the world :)

So lets see how many people complain here after the point release…

Sebastian

#902899#44
Date:
2018-07-09 20:45:15 UTC
From:
To:
I got bitten by this too in jessie-updates (after wasting some time
being *sure* local signature I was just creating at the time made
clamd crash silently)...

I did:
  rm -f /var/lib/clamav/*.yar
(just removing "antidebug_antivm.yar was not enough)

and put:
  enable_yararules=""

in /etc/clamav-unofficial-sigs/user.conf

and after restarting clamd, it seems to work fine...
Hopefully it won't download them again.

Still wondering how much of protection is lost without YARA rules?

#902899#49
Date:
2018-07-10 06:01:56 UTC
From:
To:
wasn't there an assert which made clamd exit?

…
Go though your log files and check for yourself how many mails where
checked positiv with one of the rules.

I don't know if all rules were broken or just one. The earlier release
just ignored the broken/wrong rule.

Sebastian

#902899#54
Date:
2018-08-20 07:31:32 UTC
From:
To:
no, /var/log/clamav* does not contain any info about clamd crash
(which made it hard to debug), and that system does not use systemd
(so no information from systemd journal like the OP).

Only when one runs "clamscan" manually (or debugs clamd+clamdscan
manually outside the Debian startup scripts) did I see:
"clamscan: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed."