Open Source Development

 View Only

 clamd Crashes on AIX... Segmentation fault in pow.pow [/usr/lib/libbsd.a]

直也 酒井's profile image
直也 酒井 posted Wed October 08, 2025 09:42 AM

Hello everyone,

This concerns a older version of the package,
I wanted to inform you that I discovered a phenomenon where the fixes for known issues in the ClamAV-1.0.7 RPM package appear to differ between clamscan and clamdscan.

There is an issue where scanning certain python libraries placed on AIX causes ClamAV to crash without leaving any message.
It seems that there are some libraries prone to issues, but in my test environment, scanning libraries including following path almost always caused a crash;

/opt/freeware/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl

At that time, the ClamAV installed on the system (AIX 7.2) was version 1.0.7-2.
When analyzing the core from scanning the relevant file with clamscan, I found following message;

Segmentation fault in pow.pow [/usr/lib/libbsd.a] at 0x90000000144ffb8 ($t3)
0x90000000144ffb8 (pow+0x98) 7ec6c2ae           lhax  r22,r6,r24

Based on this message, the following issue set up on ClamAV's GitHub was immediately found;

https://github.com/Cisco-Talos/clamav/issues/1435

I found ClamAV-1.0.7-3 on the AIX ToolBox site, so I updated the RPM.
(I know that version 1.4.3 has already been released, but due to limitations in updating the system environment, we are currently unable to immediately update the package to a new major version.)

After updating to 1.0.7-3, clamscan started scanning problematic files properly.
However, clamdscan in the same package continues to crash clamd when scanning this file.
Since I had set it to output a core, I analyzed it and it seems that it is indeed crashing in pow() of libbsd.a as follows;

Segmentation fault in pow.pow [/usr/lib/libbsd.a] at 0x90000000144ffb8 ($t3)
0x90000000144ffb8 (pow+0x98) 7ec6c2ae           lhax   r22,r6,r24

Is it that the known issues were only left unaddressed in clamd, or is there another problem?

I understand that support for ClamAV 1.0.x will end next month, but If that is causing crashes due to a known issue, I don't think it's good.

Aditya Kamath's profile image
Aditya Kamath posted Fri October 10, 2025 04:56 AM

Hi ,

# clamdscan /opt/freeware/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl
 
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Start Date: 2025:10:10 03:47:34
End Date:   2025:10:10 03:47:34

I have reproduced the issue. Thank you for your patience. I do see a problem. We did make a math library from the libC link before BSD for generating this binary but are checking what went wrong.

Can you tell me how you got the core dump? In that sense, can you tell me how you ran the clamscan? I am not able to get the core.

I am looking to integrate this into our test bucket for future versions, and the core dump will help us understand more. We would appreciate that information. 
Aditya Kamath's profile image
Aditya Kamath posted Sun October 12, 2025 09:48 PM

Hi,

We were trying to reproduce the core but could not. In the previous message the error was because we made a mistake in the clamd.conf file while attempting to reproduce.

We are able to scan the file you mentioned. Kindly see our output and clamd file. Let us know how you are scanning which will help us resolve the issue.

Did you set ulimits to unlimited? 

/opt/freeware/sbin/clamd --config-file=/clamd.conf

# clamdscan --config-file=/clamd.conf --verbose --fdpass --multiscan  /opt/freeware/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl
/opt/freeware/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl: OK
 
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.030 sec (0 m 0 s)
Start Date: 2025:10:12 03:37:33
End Date:   2025:10:12 03:37:33
# cat clamd.conf 
 
# Path to the virus database (adjust to your distro's db path)
DatabaseDirectory /var/lib/clamav
 
# Path to the unix socket or TCP port clamd will listen on.
# Use one of the two options below (uncomment the one you want).
 
# TCP 
 TCPSocket 3310
 TCPAddr 127.0.0.1
 
# Allow clamd to use multiple threads (optional)
# Detects number of CPUs if set to 0
MaxThreads 4
 
# Temporary directory for unarchiving files
TemporaryDirectory /tmp
 
# Do not log verbose by default (set to yes for debugging)
LogVerbose yes
LogFile /var/clamav/clamd.log
LogTime yes
 
# Allow scanning compressed files
ScanArchive yes
 
# Size limits (adjust if you need bigger file support)
# MaxFileSize 25M
# MaxScanSize 100M
 
# Run as user/group (uncomment and adjust as needed)
User root 
# Example: on some distros the user/group is 'clamav' or 'clamd'
# AllowSupplementaryGroups yes
 
# Leave example warning comment
# For production review the whole config and your distro's defaults.
直也 酒井's profile image
直也 酒井 posted Tue October 14, 2025 02:42 AM

We apologize for keeping you waiting.
Due to data retention requirements, we needed to prepare a different server with similar settings rather than using the environment where the issue was initially discovered, in order to reproduce the problem, which took some time.
The core dump has been successfully obtained.
Due to disk space limitations, some directory settings and owner settings have been modified from the RPM default configuration.
The clamd.conf is also configured as described below. As for the ClamAV RPM, version 1.0.7-2 was initially installed, and then updated to 1.0.7-3 using rpm -Uvh.

Please download the files from the following DropBox link;
https://www.dropbox.com/scl/fi/c8levrqecqpc18rbfdoqd/core.14877148.14023442?rlkey=o6ftubkftps4n2fsh3g9m4rom&dl=0

The configuration file is set as follows;

# cat /opt/freeware/etc/clamav/clamd.conf.new
TemporaryDirectory /tmp
LocalSocket /tmp/clamd.socket
PidFile /tmp/clamd.pid
FollowFileSymlinks yes
FollowDirectorySymlinks yes
ScanArchive yes
MaxScanSize 0
MaxFileSize 0
MaxRecursion 5
DisableCache yes
LogFile /tmp/clamd.log
AlertEncrypted yes
LocalSocketMode 660
CommandReadTimeout 30
LogFileMaxSize 2M
LogTime yes
LogVerbose yes
ExtendedDetectionInfo yes


DatabaseDirectory /usr/lib/clamav

The output results of dbx are as follows;

# dbx /opt/freeware/sbin/clamd /home/sakai/core.14877148.14023442
Type 'help' for help.
[using memory image in /home/sakai/core.14877148.14023442]
reading symbolic information ...internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: expected char ',', found ';,0,64;_base:22,64,64;_bufendp:22,128,64;__newbase:6,192,64;_lock:24=*3,256,64;_cnt:4,320,32;_file:4,352,32;__stdioid:4,384,32;_flag:25=@s16;r25;-32768;32767;,416,16;_unused:25,432,16;_unused1:26=ar27=@s64;r27;0;01777777777777777777777;;0;00000000000000000000003;12,448,256;;'
internal error: expected char ';', found ',64;_base:22,64,64;_bufendp:22,128,64;__newbase:6,192,64;_lock:24=*3,256,64;_cnt:4,320,32;_file:4,352,32;__stdioid:4,384,32;_flag:25=@s16;r25;-32768;32767;,416,16;_unused:25,432,16;_unused1:26=ar27=@s64;r27;0;01777777777777777777777;;0;00000000000000000000003;12,448,256;;'
internal error: expected char ',', found ';,416,16;_unused:25,432,16;_unused1:26=ar27=@s64;r27;0;01777777777777777777777;;0;00000000000000000000003;12,448,256;;'
internal error: expected char ';', found ',16;_unused:25,432,16;_unused1:26=ar27=@s64;r27;0;01777777777777777777777;;0;00000000000000000000003;12,448,256;;'
internal error: expected char ',', found ';12,448,256;;'
internal error: expected char ';', found ',256;;'
internal error: index("256;;", ':') failed
internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: unexpected value 120 at line 5214 in file stabstring.c


Segmentation fault in pow.pow [/usr/lib/libbsd.a] at 0x90000000144ffb8 ($t3)
0x90000000144ffb8 (pow+0x98) 7ec6c2ae           lhax  r22,r6,r24
(dbx)
Aditya Kamath's profile image
Aditya Kamath posted Tue October 14, 2025 09:45 AM

Thank you for the core. We are analyzing and will get back.

Aditya Kamath's profile image
Aditya Kamath posted Mon October 27, 2025 03:24 AM

Hi,

We want you to try stopping the clamd daemon, doing a slibclean, and starting again in your test LPAR. Does this fix the problem?

If it does not, can you share the below command outputs from the LPAR?

  1. rpm -qa | grep clamav
  2. clamdscan --version
  3. dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd 
  4. echo $LIBPATH
Aditya Kamath's profile image
Aditya Kamath posted Mon October 27, 2025 03:25 AM

Hi, 

Can you try stopping the clamd daemon and doing a slibclean and starting again in your test LPAR? Also, if that does not work, then can you share the below command outputs?

  1. rpm -qa | grep clamav 
  2. clamdscan --version
  3. dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd
  4. echo $LIBPATH
直也 酒井's profile image
直也 酒井 posted Mon October 27, 2025 07:36 AM

It looks like this.

>rpm -qa | grep clamav

# rpm -qa | grep clamav 
clamav-1.0.7-3.ppc

>clamdscan --version

# clamdscan --version
ClamAV 0.103.4/27759/Wed Sep 10 03:27:04 2025

>dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd

[100]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) fcntl
[101]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) fmin
[102]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) pow

>echo $LIBPATH

 #echo $LIBPATH

(It's empty)

Aditya Kamath's profile image
Aditya Kamath posted Mon October 27, 2025 09:20 AM

Hi,

>clamdscan --version

># clamdscan --version
> ClamAV 0.103.4/27759/Wed Sep 10 03:27:04 2025

>dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd

>[100]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) fcntl
>[101]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) fmin
> [102]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) pow


That is the root cause of your issue, and that is why it core dumped. libclamav.a is using libbsd. And you see clamdscan version is also incorrect.

If your system is well, then you should see,

# clamdscan --version ClamAV 1.4.3

# dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd
[256] 0x00000000 undef IMP DS EXTref libbsd.a(shr_64.o) fcntl

In your case, version 1.0.7..

Can you do a dnf erase clamav

Then make sure there are no ClamAV files at all. By that I mean you should not see any files like /opt/freeware/lib/libclamav.a, /opt/freeware/sbin/clamd and /opt/freeware/bin/clamscan.

Then do dnf install clamav-1.0.7-3 if you are keen on 1.0.x or dnf install clamav.

Then rerun the same two commands, and you must see the below outputs. Then all is good, and ClamAV will work. Please let us know if you still have trouble. We will get this up for you.

# clamdscan --version
ClamAV 1.4.3


# dump -X64 -Tov /opt/freeware/lib/libclamav.a | grep bsd
[256]   0x00000000    undef      IMP     DS EXTref libbsd.a(shr_64.o) fcntl

直也 酒井's profile image
直也 酒井 posted Wed October 29, 2025 08:26 PM

Thank you for your reply.


I understand that pow() in libbsd.a is linked in /opt/freeware/lib/libclamav.a and how to verify that.
As I wrote in my first post, due to limitations in updating the system environment, it is not possible to immediately upgrade from version 1.0.7 to 1.4.3.
I posted to report the issue that, although the changelog of the publicly released ClamAV-1.0.7-3 RPM states ' - Update to link math before bsd library.', it seems that the change has only been applied to the clamscan binary and not to clamd.
I will either create a patch for the problematic part based on the publicly available 1.0.7-3 SRPM and build a custom RPM, or rebuild libclamav.a using the modified source code to address the issue.

Aditya Kamath's profile image
Aditya Kamath posted Wed October 29, 2025 10:28 PM

Hi,

We are not asking you to update to 1.4.3. 

># rpm -qa | grep clamav 
> clamav-1.0.7-3.ppc

> clamdscan --version
> ClamAV 0.103.4/27759/Wed Sep 10 03:27:04 2025

If you have installed 1.0.7-3 in your LPAR, then clamdscaqn --version must also show 1.0.7 which in your LPAR is not showing. There is something not right here, which is why we are suggesting to remove clamav rpm and re install. Can you try this? It will resolve the core dump without you having to update to 1.4.3

Related Content