2009-08-20 01:34:03 +02:00
|
|
|
/*
|
2025-02-14 10:24:30 -05:00
|
|
|
* Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2019-01-25 10:15:50 -05:00
|
|
|
* Copyright (C) 2009-2013 Sourcefire, Inc.
|
2009-08-20 01:34:03 +02:00
|
|
|
*
|
|
|
|
|
* Authors: aCaB <acab@clamav.net>
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
2009-08-20 02:19:57 +02:00
|
|
|
#ifndef __FMAP_H
|
|
|
|
|
#define __FMAP_H
|
2009-08-20 01:34:03 +02:00
|
|
|
|
2011-12-16 12:00:12 +01:00
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2009-12-22 09:33:34 +02:00
|
|
|
#ifdef HAVE_UNISTD_H
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-02-17 13:04:49 -07:00
|
|
|
#include <limits.h>
|
2009-12-11 21:12:38 +02:00
|
|
|
#include <time.h>
|
2011-06-14 20:33:15 +03:00
|
|
|
#include <string.h>
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │ └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
| └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │ └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │ └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │ └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │ └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │ └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │ └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
| └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │ └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
| └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
#include <stdbool.h>
|
2018-12-05 20:46:20 -05:00
|
|
|
|
2011-06-14 20:33:15 +03:00
|
|
|
#include "clamav.h"
|
2009-08-31 04:41:06 +02:00
|
|
|
|
2022-08-18 20:00:33 -07:00
|
|
|
#include "matcher-hash-types.h"
|
|
|
|
|
|
2011-06-14 20:33:15 +03:00
|
|
|
struct cl_fmap;
|
|
|
|
|
typedef cl_fmap_t fmap_t;
|
|
|
|
|
|
|
|
|
|
struct cl_fmap {
|
2011-06-14 21:06:16 +03:00
|
|
|
/* handle interface */
|
|
|
|
|
void *handle;
|
|
|
|
|
clcb_pread pread_cb;
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/* memory interface */
|
|
|
|
|
const void *data;
|
|
|
|
|
|
2011-06-14 21:06:16 +03:00
|
|
|
/* internal */
|
2023-12-06 17:33:21 -05:00
|
|
|
uint64_t mtime;
|
2021-03-31 12:16:41 -07:00
|
|
|
uint64_t pages;
|
2020-01-30 09:15:44 -08:00
|
|
|
uint64_t pgsz;
|
2021-03-31 12:16:41 -07:00
|
|
|
uint64_t paged;
|
libclamav: scan-layer callback API functions
Add the following scan callbacks:
```c
cl_engine_set_scan_callback(engine, &pre_hash_callback, CL_SCAN_CALLBACK_PRE_HASH);
cl_engine_set_scan_callback(engine, &pre_scan_callback, CL_SCAN_CALLBACK_PRE_SCAN);
cl_engine_set_scan_callback(engine, &post_scan_callback, CL_SCAN_CALLBACK_POST_SCAN);
cl_engine_set_scan_callback(engine, &alert_callback, CL_SCAN_CALLBACK_ALERT);
cl_engine_set_scan_callback(engine, &file_type_callback, CL_SCAN_CALLBACK_FILE_TYPE);
```
Each callback may alter scan behavior using the following return codes:
* CL_BREAK
Scan aborted by callback (the rest of the scan is skipped).
This does not mark the file as clean or infected, it just skips the rest of the scan.
* CL_SUCCESS / CL_CLEAN
File scan will continue.
This is different than CL_VERIFIED because it does not affect prior or future alerts.
Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip
the rest of the scan for this layer.
* CL_VIRUS
This means you don't trust the file. A new alert will be added.
For CL_SCAN_CALLBACK_ALERT: Means you agree with the alert (no extra alert needed).
* CL_VERIFIED
Layer explicitly trusted by the callback and previous alerts removed FOR THIS layer.
You might want to do this if you trust the hash or verified a digital signature.
The rest of the scan will be skipped FOR THIS layer.
For contained files, this does NOT mean that the parent or adjacent layers are trusted.
Each callback is given a pointer to the current scan layer from which
they can get previous layers, can get the the layer's fmap, and then
various attributes of the layer and of the fmap such as:
- layer recursion level
- layer object id
- layer file type
- layer attributes (was decerypted, normalized, embedded, or re-typed)
- layer last alert
- fmap name
- fmap hash (md5, sha1, or sha2-256)
- fmap data (pointer and size)
- fmap file descriptor, if any (fd, offset, size)
- fmap filepath, if any (filepath, offset, size)
To make this possible, this commits introduced a handful of new APIs to
query scan-layer details and fmap details:
- `cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);`
- `cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);`
- `cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);`
- `cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);`
- `cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);`
- `cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);`
- `cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);`
- `cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);`
- `cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);`
- `cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, const char **hash_out);`
- `cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);`
- `cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);`
- `cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);`
- `cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);`
- `cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);`
- `cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);`
- `cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);`
- `cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);`
This commit deprecates but does not remove the existing scan callbacks:
- `void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);`
- `void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);`
- `void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);`
- `void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);`
- `void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);`
- `void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);`
This commit also adds an interactive test program to demonstrate the callbacks.
See: `examples/ex_scan_callbacks.c`
CLAM-255
CLAM-2485
CLAM-2626
2025-06-22 14:37:03 -04:00
|
|
|
bool aging; /** Indicates if we should age off memory mapped pages */
|
|
|
|
|
bool dont_cache_flag; /** Indicates if we should not cache scan results for this fmap. Used if limits exceeded */
|
|
|
|
|
bool handle_is_fd; /** Non-zero if `map->handle` is an fd. This is needed so that `fmap_fd()` knows if it can
|
|
|
|
|
return a file descriptor. If it's some other kind of handle, then `fmap_fd()` has to return -1. */
|
|
|
|
|
size_t offset; /** File offset representing start of original fmap, if the fmap created reading from a file starting at offset other than 0.
|
|
|
|
|
`offset` & `len` are critical information for anyone using the file descriptor/handle */
|
|
|
|
|
size_t nested_offset; /** Offset from start of original fmap (data) for nested scan. 0 for orig fmap. */
|
|
|
|
|
size_t real_len; /** Length from start of original fmap (data) to end of current (possibly nested) map.
|
|
|
|
|
`real_len == nested_offset + len`.
|
|
|
|
|
`real_len` is needed for nested maps because we only reference the original mapping data.
|
|
|
|
|
We convert caller's fmap offsets & lengths to real data offsets using `nested_offset` & `real_len`. */
|
2021-10-03 14:13:55 -07:00
|
|
|
|
|
|
|
|
/* external */
|
libclamav: scan-layer callback API functions
Add the following scan callbacks:
```c
cl_engine_set_scan_callback(engine, &pre_hash_callback, CL_SCAN_CALLBACK_PRE_HASH);
cl_engine_set_scan_callback(engine, &pre_scan_callback, CL_SCAN_CALLBACK_PRE_SCAN);
cl_engine_set_scan_callback(engine, &post_scan_callback, CL_SCAN_CALLBACK_POST_SCAN);
cl_engine_set_scan_callback(engine, &alert_callback, CL_SCAN_CALLBACK_ALERT);
cl_engine_set_scan_callback(engine, &file_type_callback, CL_SCAN_CALLBACK_FILE_TYPE);
```
Each callback may alter scan behavior using the following return codes:
* CL_BREAK
Scan aborted by callback (the rest of the scan is skipped).
This does not mark the file as clean or infected, it just skips the rest of the scan.
* CL_SUCCESS / CL_CLEAN
File scan will continue.
This is different than CL_VERIFIED because it does not affect prior or future alerts.
Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip
the rest of the scan for this layer.
* CL_VIRUS
This means you don't trust the file. A new alert will be added.
For CL_SCAN_CALLBACK_ALERT: Means you agree with the alert (no extra alert needed).
* CL_VERIFIED
Layer explicitly trusted by the callback and previous alerts removed FOR THIS layer.
You might want to do this if you trust the hash or verified a digital signature.
The rest of the scan will be skipped FOR THIS layer.
For contained files, this does NOT mean that the parent or adjacent layers are trusted.
Each callback is given a pointer to the current scan layer from which
they can get previous layers, can get the the layer's fmap, and then
various attributes of the layer and of the fmap such as:
- layer recursion level
- layer object id
- layer file type
- layer attributes (was decerypted, normalized, embedded, or re-typed)
- layer last alert
- fmap name
- fmap hash (md5, sha1, or sha2-256)
- fmap data (pointer and size)
- fmap file descriptor, if any (fd, offset, size)
- fmap filepath, if any (filepath, offset, size)
To make this possible, this commits introduced a handful of new APIs to
query scan-layer details and fmap details:
- `cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);`
- `cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);`
- `cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);`
- `cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);`
- `cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);`
- `cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);`
- `cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);`
- `cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);`
- `cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);`
- `cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, const char **hash_out);`
- `cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);`
- `cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);`
- `cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);`
- `cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);`
- `cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);`
- `cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);`
- `cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);`
- `cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);`
This commit deprecates but does not remove the existing scan callbacks:
- `void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);`
- `void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);`
- `void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);`
- `void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);`
- `void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);`
- `void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);`
This commit also adds an interactive test program to demonstrate the callbacks.
See: `examples/ex_scan_callbacks.c`
CLAM-255
CLAM-2485
CLAM-2626
2025-06-22 14:37:03 -04:00
|
|
|
size_t len; /** Length of data from nested_offset, accessible via current fmap */
|
2011-06-17 23:08:31 +03:00
|
|
|
|
|
|
|
|
/* real_len = nested_offset + len
|
|
|
|
|
* file_offset = offset + nested_offset + need_offset
|
|
|
|
|
* maximum offset, length accessible via fmap API: len
|
|
|
|
|
* offset in cached buffer: nested_offset + need_offset
|
|
|
|
|
*
|
2014-05-19 16:48:46 -04:00
|
|
|
* This allows scanning a portion of an already mapped file without dumping
|
2011-06-17 23:08:31 +03:00
|
|
|
* to disk and remapping (for uncompressed archives for example) */
|
2011-06-14 20:33:15 +03:00
|
|
|
|
|
|
|
|
/* vtable for implementation */
|
2018-12-03 12:40:13 -05:00
|
|
|
void (*unmap)(fmap_t *);
|
|
|
|
|
const void *(*need)(fmap_t *, size_t at, size_t len, int lock);
|
|
|
|
|
const void *(*need_offstr)(fmap_t *, size_t at, size_t len_hint);
|
|
|
|
|
const void *(*gets)(fmap_t *, char *dst, size_t *at, size_t max_len);
|
|
|
|
|
void (*unneed_off)(fmap_t *, size_t at, size_t len);
|
2023-12-06 17:33:21 -05:00
|
|
|
void *windows_file_handle;
|
|
|
|
|
void *windows_map_handle;
|
2025-06-03 19:03:20 -04:00
|
|
|
|
|
|
|
|
/* flags to indicate if we should calculate a hash next time we calculate any hashes */
|
|
|
|
|
bool will_need_hash[CLI_HASH_AVAIL_TYPES];
|
|
|
|
|
|
|
|
|
|
/* flags to indicate if we have calculated a hash */
|
|
|
|
|
bool have_hash[CLI_HASH_AVAIL_TYPES];
|
|
|
|
|
|
|
|
|
|
/* hash values */
|
|
|
|
|
uint8_t hash[CLI_HASH_AVAIL_TYPES][CLI_HASHLEN_MAX];
|
|
|
|
|
|
2021-03-31 12:16:41 -07:00
|
|
|
uint64_t *bitmap;
|
libclamav: Add engine option to toggle temp directory recursion
Temp directory recursion in ClamAV is when each layer of a scan gets its
own temp directory in the parent layer's temp directory.
In addition to temp directory recursion, ClamAV has been creating a new
subdirectory for each file scan as a risk-adverse method to ensure
no temporary file leaks fill up the disk.
Creating a directory is relatively slow on Windows in particular if
scanning a lot of very small files.
This commit:
1. Separates the temp directory recursion feature from the leave-temps
feature so that libclamav can leave temp files without making
subdirectories for each file scanned.
2. Makes it so that when temp directory recursion is off, libclamav
will just use the configure temp directory for all files.
The new option to enable temp directory recursion is for libclamav-only
at this time. It is off by default, and you can enable it like this:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
For the `clamscan` and `clamd` programs, temp directory recursion will
be enabled when `--leave-temps` / `LeaveTemporaryFiles` is enabled.
The difference is that when disabled, it will return to using the
configured temp directory without making a subdirectory for each file
scanned, so as to improve scan performance for small files, mostly on
Windows.
Under the hood, this commit also:
1. Cleans up how we keep track of tmpdirs for each layer.
The goal here is to align how we keep track of layer-specific stuff
using the scan_layer structure.
2. Cleans up how we record metadata JSON for embedded files.
Note: Embedded files being different from Contained files, as they
are extracted not with a parser, but by finding them with
file type magic signatures.
CLAM-1583
2025-06-09 20:42:31 -04:00
|
|
|
char *name; /* name of the file, e.g. as recorded in a zip file entry record */
|
|
|
|
|
char *path; /* path to the file/tempfile, if fmap was created from a file descriptor */
|
2011-06-14 20:33:15 +03:00
|
|
|
};
|
2009-08-20 01:34:03 +02:00
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
/**
|
|
|
|
|
* @brief Create a new fmap given a file descriptor.
|
|
|
|
|
*
|
|
|
|
|
* @param fd File descriptor of file to be mapped.
|
|
|
|
|
* @param offset Offset into file for start of map.
|
|
|
|
|
* @param len Length from offset for size of map.
|
|
|
|
|
* @param name (optional) Original name of the file (to set fmap name metadata)
|
2025-06-08 01:12:33 -04:00
|
|
|
* @param path (optional) Original path of the file (to set fmap path metadata)
|
|
|
|
|
* @return fmap_t* The newly created fmap. Free it with `fmap_free()`
|
2020-03-19 21:23:54 -04:00
|
|
|
*/
|
2025-06-08 01:12:33 -04:00
|
|
|
fmap_t *fmap_new(int fd, off_t offset, size_t len, const char *name, const char *path);
|
2020-03-19 21:23:54 -04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Create new fmap given a file descriptor.
|
|
|
|
|
*
|
2025-06-08 01:12:33 -04:00
|
|
|
* This variant of fmap_new() provides a boolean output variable to indicate on
|
2020-03-19 21:23:54 -04:00
|
|
|
* failure if the failure was because the file is empty (not really a failure).
|
|
|
|
|
*
|
2021-07-16 11:47:23 -07:00
|
|
|
* @param fd File descriptor of file to be mapped.
|
|
|
|
|
* @param offset Offset into file for start of map.
|
|
|
|
|
* @param len Length from offset for size of map.
|
|
|
|
|
* @param[out] empty Boolean will be non-zero if the file couldn't be mapped because it is empty.
|
|
|
|
|
* @param name (optional) Original name of the file (to set fmap name metadata)
|
2025-06-08 01:12:33 -04:00
|
|
|
* @param path (optional) Original path of the file (to set fmap path metadata)
|
|
|
|
|
* @return fmap_t* The newly created fmap. Free it with `fmap_free()`
|
2020-03-19 21:23:54 -04:00
|
|
|
*/
|
2025-06-08 01:12:33 -04:00
|
|
|
fmap_t *fmap_check_empty(int fd, off_t offset, size_t len, int *empty, const char *name, const char *path);
|
2020-03-19 21:23:54 -04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Create a new fmap given a buffer.
|
|
|
|
|
*
|
|
|
|
|
* @param start Start of a buffer that the fmap will reference.
|
|
|
|
|
* @param len Length of the buffer.
|
|
|
|
|
* @param name (optional) Original name of the file (to set fmap name metadata)
|
|
|
|
|
* @return fmap_t*
|
|
|
|
|
*/
|
|
|
|
|
fmap_t *fmap_open_memory(const void *start, size_t len, const char *name);
|
2011-06-14 20:33:15 +03:00
|
|
|
|
2020-02-28 18:29:35 -05:00
|
|
|
/**
|
|
|
|
|
* @brief Create a new fmap view into another fmap.
|
|
|
|
|
*
|
|
|
|
|
* @param map The parent fmap.
|
|
|
|
|
* @param offset Offset for the start of the new fmap into the parent fmap.
|
|
|
|
|
* @param length Length of the data from the offset for the new fmap.
|
2020-03-19 21:23:54 -04:00
|
|
|
* @param name (optional) Original name of the file (to set fmap name metadata)
|
|
|
|
|
* @return fmap_t* NULL if failure or a special fmap that the caller must free with free_duplicate_fmap()
|
|
|
|
|
*/
|
2021-01-23 16:41:41 -08:00
|
|
|
fmap_t *fmap_duplicate(cl_fmap_t *map, size_t offset, size_t length, const char *name);
|
2020-03-19 21:23:54 -04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Deallocate a _duplicated_ fmap. Does not unmap the mapped region.
|
|
|
|
|
*
|
|
|
|
|
* This function should be used instead of `free()` to cleanup the optional fmap name.
|
|
|
|
|
*
|
|
|
|
|
* @param m The map to be free'd.
|
2020-02-28 18:29:35 -05:00
|
|
|
*/
|
2020-03-19 21:23:54 -04:00
|
|
|
void free_duplicate_fmap(cl_fmap_t *map);
|
2020-02-28 18:29:35 -05:00
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
/**
|
|
|
|
|
* @brief Unmap/deallocate an fmap.
|
|
|
|
|
*
|
|
|
|
|
* @param m The map to be free'd.
|
|
|
|
|
*/
|
2025-06-08 01:12:33 -04:00
|
|
|
static inline void fmap_free(fmap_t *m)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
|
|
|
|
m->unmap(m);
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data if the requested offset & len are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* For fmap's created from file descriptors, this will also page the requested file map pages.
|
|
|
|
|
*
|
|
|
|
|
* This will lock the pages containing the requested data.
|
|
|
|
|
* You must call fmap_unneed_off() / fmap_unneed_ptr() when you're done accessing the data to
|
|
|
|
|
* release the page locks.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param at The map offset requested.
|
|
|
|
|
* @param len The data length requested.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2011-06-14 20:33:15 +03:00
|
|
|
static inline const void *fmap_need_off(fmap_t *m, size_t at, size_t len)
|
|
|
|
|
{
|
|
|
|
|
return m->need(m, at, len, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data if the requested offset & len are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* For fmap's created from file descriptors, this will also page the requested file map pages.
|
|
|
|
|
*
|
|
|
|
|
* This is just like fmap_need_off() except it will not lock the pages, and you don't need
|
|
|
|
|
* to call fmap_unneed_off() / fmap_unneed_ptr() to release the page locks.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param at The map offset requested.
|
|
|
|
|
* @param len The data length requested.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2011-06-14 20:33:15 +03:00
|
|
|
static inline const void *fmap_need_off_once(fmap_t *m, size_t at, size_t len)
|
|
|
|
|
{
|
|
|
|
|
return m->need(m, at, len, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Return an offset into the current fmap given a pointer into the fmap data.
|
|
|
|
|
*
|
|
|
|
|
* For a nested (duplicate) fmap, the returned offset will be appropriate to the nested map.
|
|
|
|
|
* For example, if the ptr points to the start of the nested file, the returned offset will be 0.
|
|
|
|
|
* So this should be true, even for a nested fmap:
|
|
|
|
|
* void *ptr = fmap_need_off(m, 0, 10);
|
|
|
|
|
* size_t off = fmap_need_ptr(m, ptr, 10);
|
|
|
|
|
* assert(ptr == off);
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap
|
|
|
|
|
* @param ptr A pointer into the fmap->data
|
|
|
|
|
* @return size_t The offset into the fmap
|
|
|
|
|
*/
|
2011-06-14 22:54:44 +03:00
|
|
|
static inline size_t fmap_ptr2off(const fmap_t *m, const void *ptr)
|
|
|
|
|
{
|
2020-03-19 21:23:54 -04:00
|
|
|
return (size_t)((const char *)ptr - (const char *)m->data) - m->nested_offset;
|
2011-06-14 22:54:44 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data given a pointer into the map->data & len that are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* For fmap's created from file descriptors, this will also page the requested file map pages.
|
|
|
|
|
*
|
|
|
|
|
* This will lock the pages containing the requested data.
|
|
|
|
|
* You must call fmap_unneed_off() / fmap_unneed_ptr() when you're done accessing the data to
|
|
|
|
|
* release the page locks.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param ptr A pointer into the fmap->data.
|
|
|
|
|
* @param len The data length requested.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2012-01-05 14:16:09 +02:00
|
|
|
static inline const void *fmap_need_ptr(fmap_t *m, const void *ptr, size_t len)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
2011-06-14 22:54:44 +03:00
|
|
|
return m->need(m, fmap_ptr2off(m, ptr), len, 1);
|
2011-06-14 20:33:15 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data given a pointer into the map->data & len that are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* For fmap's created from file descriptors, this will also page the requested file map pages.
|
|
|
|
|
*
|
|
|
|
|
* This is just like fmap_need_ptr() except it will not lock the pages, and you don't need
|
|
|
|
|
* to call fmap_unneed_off() / fmap_unneed_ptr() to release the page locks.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param ptr A pointer into the fmap->data.
|
|
|
|
|
* @param len The data length requested.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2012-01-05 14:16:09 +02:00
|
|
|
static inline const void *fmap_need_ptr_once(fmap_t *m, const void *ptr, size_t len)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
2011-06-14 22:54:44 +03:00
|
|
|
return m->need(m, fmap_ptr2off(m, ptr), len, 0);
|
2011-06-14 20:33:15 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Release page locks for an fmap.
|
|
|
|
|
*
|
|
|
|
|
* You must call this after "needing" memory with fmap_need_ptr() or fmap_need_off() once
|
|
|
|
|
* you're done accessing the data.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param at The map offset requested.
|
|
|
|
|
* @param len The data length requested.
|
|
|
|
|
*/
|
2011-06-14 20:33:15 +03:00
|
|
|
static inline void fmap_unneed_off(fmap_t *m, size_t at, size_t len)
|
|
|
|
|
{
|
|
|
|
|
m->unneed_off(m, at, len);
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Release page locks for an fmap.
|
|
|
|
|
*
|
|
|
|
|
* You must call this after "needing" memory with fmap_need_ptr() or fmap_need_off() once
|
|
|
|
|
* you're done accessing the data.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param ptr A pointer into the fmap->data.
|
|
|
|
|
* @param len The data length requested.
|
|
|
|
|
*/
|
2012-01-05 14:16:09 +02:00
|
|
|
static inline void fmap_unneed_ptr(fmap_t *m, const void *ptr, size_t len)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
2011-06-14 22:54:44 +03:00
|
|
|
fmap_unneed_off(m, fmap_ptr2off(m, ptr), len);
|
2011-06-14 20:33:15 +03:00
|
|
|
}
|
|
|
|
|
|
2019-05-04 15:54:54 -04:00
|
|
|
/**
|
GIF, PNG bugfixes; Add AlertBrokenMedia option
Added a new scan option to alert on broken media (graphics) file
formats. This feature mitigates the risk of malformed media files
intended to exploit vulnerabilities in other software. At present
media validation exists for JPEG, TIFF, PNG, and GIF files.
To enable this feature, set `AlertBrokenMedia yes` in clamd.conf, or
use the `--alert-broken-media` option when using `clamscan`.
These options are disabled by default for now.
Application developers may enable this scan option by enabling
`CL_SCAN_HEURISTIC_BROKEN_MEDIA` for the `heuristic` scan option bit
field.
Fixed PNG parser logic bugs that caused an excess of parsing errors
and fixed a stack exhaustion issue affecting some systems when
scanning PNG files. PNG file type detection was disabled via
signature database update for 0.103.0 to mitigate effects from these
bugs.
Fixed an issue where PNG and GIF files no longer work with Target:5
(graphics) signatures if detected as CL_TYPE_PNG/GIF rather than as
CL_TYPE_GRAPHICS. Target types now support up to 10 possible file
types to make way for additional graphics types in future releases.
Scanning JPEG, TIFF, PNG, and GIF files will no longer return "parse"
errors when file format validation fails. Instead, the scan will alert
with the "Heuristics.Broken.Media" signature prefix and a descriptive
suffix to indicate the issue, provided that the "alert broken media"
feature is enabled.
GIF format validation will no longer fail if the GIF image is missing
the trailer byte, as this appears to be a relatively common issue in
otherwise functional GIF files.
Added a TIFF dynamic configuration (DCONF) option, which was missing.
This will allow us to disable TIFF format validation via signature
database update in the event that it proves to be problematic.
This feature already exists for many other file types.
Added CL_TYPE_JPEG and CL_TYPE_TIFF types.
2020-11-04 15:49:43 -08:00
|
|
|
* @brief Read bytes from fmap at offset into destination buffer.
|
2019-05-04 15:54:54 -04:00
|
|
|
*
|
|
|
|
|
* @param m fmap
|
|
|
|
|
* @param dst destination buffer
|
|
|
|
|
* @param at offset into fmap
|
|
|
|
|
* @param len # of bytes to read
|
|
|
|
|
* @return size_t # of bytes read
|
|
|
|
|
* @return size_t (size_t)-1 if error
|
|
|
|
|
*/
|
|
|
|
|
static inline size_t fmap_readn(fmap_t *m, void *dst, size_t at, size_t len)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
|
|
|
|
const void *src;
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (at == m->len || !len)
|
|
|
|
|
return 0;
|
|
|
|
|
if (at > m->len)
|
2019-05-04 15:54:54 -04:00
|
|
|
return (size_t)-1;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (len > m->len - at)
|
|
|
|
|
len = m->len - at;
|
2011-06-14 20:33:15 +03:00
|
|
|
src = fmap_need_off_once(m, at, len);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!src)
|
2019-05-04 15:54:54 -04:00
|
|
|
return (size_t)-1;
|
2011-06-14 20:33:15 +03:00
|
|
|
memcpy(dst, src, len);
|
2019-05-04 15:54:54 -04:00
|
|
|
return (len <= INT_MAX) ? len : (size_t)-1;
|
2011-06-14 20:33:15 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Given a pointer into the map data, return that pointer if there is a NULL terminator
|
|
|
|
|
* between ptr and the len_hint.
|
|
|
|
|
*
|
|
|
|
|
* Like fmap_need_offstr, but takes a pointer into the map data instead of an offset.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param ptr pointer to the start of string.
|
|
|
|
|
* @param len_hint max length of string. if 0, will use rest of map as max string length.
|
|
|
|
|
* @return const void* pointer of string, or NULL if no NULL terminator found.
|
|
|
|
|
*/
|
2012-01-05 14:16:09 +02:00
|
|
|
static inline const void *fmap_need_str(fmap_t *m, const void *ptr, size_t len_hint)
|
2011-06-14 20:33:15 +03:00
|
|
|
{
|
2011-06-14 22:54:44 +03:00
|
|
|
return m->need_offstr(m, fmap_ptr2off(m, ptr), len_hint);
|
2011-06-14 20:33:15 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Return a pointer at the given offset into an fmap iff there is a
|
|
|
|
|
* null terminator between `at` and `len_hint` or the end of the map.
|
|
|
|
|
* if `len_hint` is 0.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param at offset of the start of string.
|
|
|
|
|
* @param len_hint max length of string. if 0, will use rest of map as max string length.
|
|
|
|
|
* @return const void* pointer of string, or NULL if no NULL terminator found.
|
|
|
|
|
*/
|
2011-06-14 20:33:15 +03:00
|
|
|
static inline const void *fmap_need_offstr(fmap_t *m, size_t at, size_t len_hint)
|
|
|
|
|
{
|
|
|
|
|
return m->need_offstr(m, at, len_hint);
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Read a string into `dst`, stopping at a newline or at EOF.
|
|
|
|
|
*
|
|
|
|
|
* Kind of like `fgets()`, but for fmaps, and slightly better in that `at` is in/out,
|
|
|
|
|
* giving you the offset in the fmap after the end of the read.
|
|
|
|
|
*
|
|
|
|
|
* Will null-terminate the string read into dst.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param dst A destination buffer.
|
|
|
|
|
* @param[in,out] at In: Offset in the map to read from. Out: Offset after the read.
|
|
|
|
|
* @param max_len Max size to read (aka no bigger than the size of the dst buffer).
|
|
|
|
|
* @return const void* Returns `dst` on success, else NULL.
|
|
|
|
|
*/
|
2018-12-03 12:40:13 -05:00
|
|
|
static inline const void *fmap_gets(fmap_t *m, char *dst, size_t *at, size_t max_len)
|
|
|
|
|
{
|
2011-06-14 20:33:15 +03:00
|
|
|
return m->gets(m, dst, at, max_len);
|
|
|
|
|
}
|
2011-06-10 17:02:10 +03:00
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data if the requested offset & max-len are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* Just like `fmap_need_off_once()` except the `len` param is a maximum-len.
|
|
|
|
|
* If successful, the `lenout` param will indicate the _actual_ len of data available.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param at The map offset requested.
|
|
|
|
|
* @param len Maximum length of data requested.
|
|
|
|
|
* @param[out] lenout The actual len of data available.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2011-06-10 17:02:10 +03:00
|
|
|
static inline const void *fmap_need_off_once_len(fmap_t *m, size_t at, size_t len, size_t *lenout)
|
|
|
|
|
{
|
2011-06-13 11:55:34 +03:00
|
|
|
const void *p;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (at >= m->len) {
|
2017-09-01 10:18:02 -04:00
|
|
|
*lenout = 0;
|
|
|
|
|
return NULL; /* EOF, not read error */
|
2011-06-10 17:02:10 +03:00
|
|
|
}
|
2017-09-01 10:18:02 -04:00
|
|
|
if (len > m->len - at)
|
|
|
|
|
len = m->len - at;
|
2018-12-03 12:40:13 -05:00
|
|
|
p = fmap_need_off_once(m, at, len);
|
2011-06-14 20:33:15 +03:00
|
|
|
*lenout = p ? len : 0;
|
2011-06-13 11:55:34 +03:00
|
|
|
return p;
|
2011-06-10 17:02:10 +03:00
|
|
|
}
|
|
|
|
|
|
2021-10-03 14:13:55 -07:00
|
|
|
/**
|
|
|
|
|
* @brief Get a pointer to the file data if the requested offset & max-len are within the fmap.
|
|
|
|
|
*
|
|
|
|
|
* Just like `fmap_need_off_once()` except the `len` param is a maximum-len.
|
|
|
|
|
* If successful, the `lenout` param will indicate the _actual_ len of data available.
|
|
|
|
|
*
|
|
|
|
|
* @param m The fmap.
|
|
|
|
|
* @param ptr A pointer into the fmap->data.
|
|
|
|
|
* @param len Maximum length of data requested.
|
|
|
|
|
* @param[out] lenout The actual len of data available.
|
2024-04-10 16:31:46 -07:00
|
|
|
* @return const void* A pointer into to the fmap->data at the requested offset. NULL if offset/len are not contained in the fmap.
|
2021-10-03 14:13:55 -07:00
|
|
|
*/
|
2011-06-10 17:02:10 +03:00
|
|
|
static inline const void *fmap_need_ptr_once_len(fmap_t *m, const void *ptr, size_t len, size_t *lenout)
|
|
|
|
|
{
|
2011-06-14 22:54:44 +03:00
|
|
|
return fmap_need_off_once_len(m, fmap_ptr2off(m, ptr), len, lenout);
|
2011-06-10 17:02:10 +03:00
|
|
|
}
|
|
|
|
|
|
2018-07-30 20:19:28 -04:00
|
|
|
/**
|
|
|
|
|
* @brief Dump a specified range of data from an fmap to a new temp file.
|
2019-05-04 15:54:54 -04:00
|
|
|
*
|
2018-07-30 20:19:28 -04:00
|
|
|
* @param map The file map in question
|
|
|
|
|
* @param filepath (Optional) The full filepath of the file being dumped.
|
|
|
|
|
* @param tmpdir The directory to drop the file to.
|
|
|
|
|
* @param outname The filename chosen for the temp file.
|
|
|
|
|
* @param outfd The file descriptor of the new file, open and seeked to the start of the file.
|
|
|
|
|
* @param start_offset The start offset of the data that you wish to write to the temp file. Must be less than the length of the fmap and must be less than end_offset.
|
|
|
|
|
* @param end_offset The end offset of the data you wish to write to the temp file. May be larger than the size of the fmap. Use SIZE_MAX to write the entire fmap.
|
2019-05-04 15:54:54 -04:00
|
|
|
* @return cl_error_t CL_SUCCESS on success, else CL_EARG, CL_EWRITE, CL_ECREAT, or CL_EMEM for self-explanatory reasons.
|
2018-07-30 20:19:28 -04:00
|
|
|
*/
|
|
|
|
|
cl_error_t fmap_dump_to_file(fmap_t *map, const char *filepath, const char *tmpdir, char **outname, int *outfd, size_t start_offset, size_t end_offset);
|
2013-11-22 19:41:46 -05:00
|
|
|
|
2011-06-14 20:33:15 +03:00
|
|
|
/* deprecated */
|
2018-07-30 20:19:28 -04:00
|
|
|
/**
|
2023-11-26 15:01:19 -08:00
|
|
|
* @brief Return the open file descriptor for the fmap (if available).
|
2019-05-04 15:54:54 -04:00
|
|
|
*
|
|
|
|
|
* This function will only provide the file descriptor if the fmap handle is set,
|
2023-12-06 17:33:21 -05:00
|
|
|
* and if the handle is in fact a file descriptor (handle_is_fd == true).
|
2019-05-04 15:54:54 -04:00
|
|
|
*
|
2018-07-30 20:19:28 -04:00
|
|
|
* @param m The fmap.
|
|
|
|
|
* @return int The file descriptor, or -1 if not available.
|
|
|
|
|
*/
|
2011-06-14 18:48:50 +03:00
|
|
|
int fmap_fd(fmap_t *m);
|
|
|
|
|
|
2025-06-03 19:03:20 -04:00
|
|
|
/**
|
|
|
|
|
* @brief Indicate that we will want to calculate this hash later.asm
|
|
|
|
|
*
|
|
|
|
|
* Set a flag to provide advanced notice that the next time we get a hash and
|
|
|
|
|
* it has to calculate the hash, it will also calculate this hash.
|
|
|
|
|
*
|
|
|
|
|
* This is an optimization so that all hashes may be calculated in one pass
|
|
|
|
|
* of the file rather than doing multiple passes of the file for each
|
|
|
|
|
* needed hash.
|
|
|
|
|
*
|
|
|
|
|
* @param map The map in question.
|
|
|
|
|
* @param type The type of hash we'll need.
|
|
|
|
|
* @return cl_error_t CL_SUCCESS if was able to set the flag, else some error.
|
|
|
|
|
*/
|
|
|
|
|
cl_error_t fmap_will_need_hash_later(fmap_t *map, cli_hash_type_t type);
|
|
|
|
|
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │ └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
| └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │ └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │ └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │ └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │ └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │ └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │ └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
| └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │ └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
| └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
/**
|
2022-08-18 20:00:33 -07:00
|
|
|
* @brief Get a pointer to the fmap hash.
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │ └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
| └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │ └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │ └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │ └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │ └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │ └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │ └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
| └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │ └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
| └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
*
|
|
|
|
|
* Will calculate the hash if not already previously calculated.
|
|
|
|
|
*
|
|
|
|
|
* @param map The map in question.
|
|
|
|
|
* @param[out] hash A pointer to the hash.
|
2022-08-18 20:00:33 -07:00
|
|
|
* @param type The type of hash to calculate.
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │ └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
| └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │ └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │ └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │ └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │ └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │ └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │ └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
| └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │ └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │ └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
| └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
* @return cl_error_t CL_SUCCESS if was able to get the hash, else some error.
|
|
|
|
|
*/
|
2025-06-03 19:03:20 -04:00
|
|
|
cl_error_t fmap_get_hash(fmap_t *map, uint8_t **hash, cli_hash_type_t type);
|
2022-08-18 20:00:33 -07:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Set the hash for the fmap that was previously calculated.
|
|
|
|
|
*
|
|
|
|
|
* @param map The map in question.
|
|
|
|
|
* @param hash The hash to set.
|
|
|
|
|
* @param type The type of hash to calculate.
|
|
|
|
|
* @return cl_error_t CL_SUCCESS if was able to set the hash, else some error.
|
|
|
|
|
*/
|
2025-06-03 19:03:20 -04:00
|
|
|
cl_error_t fmap_set_hash(fmap_t *map, uint8_t *hash, cli_hash_type_t type);
|
2020-02-23 12:38:18 -05:00
|
|
|
|
2009-08-20 02:19:57 +02:00
|
|
|
#endif
|