1 (edited by axelgenus 2010-07-02 21:35:58)

Topic: ClamAV keeps crashing

Hi, since July 30th on my Debian Lenny server, ClamAV keeps crashing. This is an example of the error messages left in /var/log/mail.err.

Jul  2 15:11:27 athena amavis[22368]: (22368-05) (!!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /tmp/clamd.socket (Can't connect to UNIX socket /tmp/clamd.socket: Connection refused) at (eval 98) line 309.
Jul  2 15:11:27 athena amavis[22368]: (22368-05) (!!)WARN: all primary virus scanners failed, considering backups
Jul  2 15:11:27 athena amavis[22368]: (22368-05) (!!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options"
Jul  2 15:11:27 athena amavis[22368]: (22368-05) (!!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 2, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options" at (eval 98) line 527.
Jul  2 15:11:27 athena amavis[22368]: (22368-05) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /tmp/clamd.socket (Can't connect to UNIX socket /tmp/clamd.socket: Connection refused) at (eval 98) line 309.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 2, output="WARNING: Ignoring deprecated option --disable-summary\nERROR: Option --tempdir requires a non-empty string argument\nERROR: Can't parse command line options" at (eval 98) line 527.

I'm trying to get it working but so far no luck... anyone got a solution?

2

Re: ClamAV keeps crashing

I managed to get a strace of clamd crashing:

read(5, "\0"..., 1025)                  = 1
time([1278405187])                      = 1278405187
time([1278405187])                      = 1278405187
poll([{fd=5, events=POLLIN}, {fd=9, events=POLLIN}], 2, 5000) = 1 ([{fd=9, revents=POLLIN}])
recvmsg(9, {msg_name(0)=NULL, msg_iov(1)=[{"CONTSCAN /var/lib/amavis/tmp/amav"..., 4104}], msg_controllen=0, msg_flags=0}, 0) = 64
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_32BIT, -1, 0) = 0x410d1000
mprotect(0x410d1000, 4096, PROT_NONE)   = 0
clone(child_stack=0x418d1250, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x418d19e0, tls=0x418d1950, child_tidptr=0x418d19e0) = 15830
futex(0x707ed0, FUTEX_WAKE_PRIVATE, 1)  = 1
time([1278405187])                      = 1278405187
time([1278405187])                      = 1278405187
time([1278405187])                      = 1278405187
poll([{fd=5, events=POLLIN}], 1, 3600000 <unfinished ...>
+++ killed by SIGKILL +++

Please help me, I'm getting crazy around this! sad

3

Re: ClamAV keeps crashing

Suggestions:

1: Disable anti-virus first. Set below in amavisd.conf (restarting amavisd service is required):

@bypass_virus_checks_maps = (1);

2: Try to upgrade clamav to the latest version, make sure it works as expected, and then comment the above line.

3: If upgrading doesn't work, try to downgrade it.

4 (edited by axelgenus 2010-07-07 17:19:12)

Re: ClamAV keeps crashing

Ok, it's a ClamAV bug. I attached GDB to clamd and the signal which made it stop was SIGKILL so another process killed it. ClamAV 0.96 and later features a Just In Time compiler which is incompatible with PAX. Moreover clamscan didn't work too for the exact same reason so I had no antivirus for a week!!! -.-

Here's the details of the "murder":

Jul  6 23:23:52 athena kernel: [129972.129983] PAX: From xxx.yyy.zzz.www: execution attempt in: <anonymous mapping>, 6fb1ecf94000-6fb1ed0ed000 6fb1ecf94000
Jul  6 23:23:52 athena kernel: [129972.130047] PAX: terminating task: /usr/sbin/clamd(clamd):22834, uid/euid: 106/106, PC: 00006fb1ed0611f0, SP: 0000000041aa5b98
Jul  6 23:23:52 athena kernel: [129972.130098] PAX: bytes at PC: 48 83 ec 08 48 b8 10 10 06 ed b1 6f 00 00 ff d0 48 83 c4 08
Jul  6 23:23:52 athena kernel: [129972.130159] PAX: bytes at SP-8: 0000000041aa60a0 00006fb1f9362fd1 0000000041aa6220 00006fb1ed0611f0 0000000041aa60a0 01c842b973b5fe16 00006fb1ed0611f0 0000000041aa6220 000$
Jul  6 23:24:02 athena kernel: [129982.004438] PAX: execution attempt in: <anonymous mapping>, 732826731000-73282688a000 732826731000
Jul  6 23:24:02 athena kernel: [129982.004493] PAX: terminating task: /usr/bin/clamscan(clamscan):22836, uid/euid: 108/108, PC: 00007328267fe1f0, SP: 00007d3f96bac428
Jul  6 23:24:02 athena kernel: [129982.004545] PAX: bytes at PC: 48 83 ec 08 48 b8 10 e0 7f 26 28 73 00 00 ff d0 48 83 c4 08
Jul  6 23:24:02 athena kernel: [129982.004606] PAX: bytes at SP-8: 00007d3f96bac930 000073283232afd1 00007d3f96bacab0 00007328267fe1f0 00007d3f96bac930 ddb238b97787fe16 00007328267fe1f0 00007d3f96bacab0 000$
Jul  6 23:24:02 athena kernel: [129982.004735] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/clamscan[clamscan:22836] uid/euid:108/108 gid/egid:113/113, par$

I searched ClamAV bugzilla and this bug has already been detected. The easiest solution is to delete /var/lib/clamav/bytecode.cld and specify "Bytecode off" in /etc/clamav/freshclam.conf. This way the JIT has no definition and PAX doesn't kick in.

Finally it's working again. Thank you for your support.