Commit graph

53 commits

Author SHA1 Message Date
Val Snyder
7ff29b8c37
Bump copyright dates for 2025 2025-02-14 10:24:30 -05:00
Micah Snyder
405829ee88 Refine max-allocation and safer-allocation function and macro names
We add the _OR_GOTO_DONE suffix to the macros that go to done if the
allocation fails. This makes it obvious what is different about the
macro versus the equivalent function, and that error handling is
built-in.

Renamed the cli_strdup to safer_strdup to make it obvious that it exists
because it is safer than regular strdup. Regular strdup doesn't have the
NULL check before trying to dup, and so may result in a NULL-deref
crash.

Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the
NULL-check is preferred.
2024-03-15 13:18:47 -04:00
Micah Snyder
39070d1c76 Remove additional memory allocation limits relating to signature load
Variables like the number of signature parts are considered trusted user input
and so allocations based on those values need not check the memory allocation
limit.

Specifically for the allocation of the normalized buffer in cli_scanscript,
I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen
comes from the signature load and is therefore also trusted, so we do not
need to check the allocation limit.
2024-03-15 13:18:47 -04:00
Micah Snyder
8e04c25fec Rename clamav memory allocation functions
We have some special functions to wrap malloc, calloc, and realloc to
make sure we don't allocate more than some limit, similar to the
max-filesize and max-scansize limits. Our wrappers are really only
needed when allocating memory for scans based on untrusted user input,
where a scan file could have bytes that claim you need to allocate
some ridiculous amount of memory. Right now they're named:
- cli_malloc
- cli_calloc
- cli_realloc
- cli_realloc2

... and these names do not convey their purpose

This commit renames them to:
- cli_max_malloc
- cli_max_calloc
- cli_max_realloc
- cli_max_realloc2

The realloc ones also have an additional feature in that they will not
free your pointer if you try to realloc to 0 bytes. Freeing the memory
is undefined by the C spec, and only done with some realloc
implementations, so this stabilizes on the behavior of not doing that,
which should prevent accidental double-free's.

So for the case where you may want to realloc and do not need to have a
maximum, this commit adds the following functions:
- cli_safer_realloc
- cli_safer_realloc2

These are used for the MPOOL_REALLOC and MPOOL_REALLOC2 macros when
MPOOL is disabled (e.g. because mmap-support is not found), so as to
match the behavior in the mpool_realloc/2 functions that do not make use
of the allocation-limit.
2024-03-15 13:18:47 -04:00
Micah Snyder
6d6e04ddf8 Optimization: replace limited allocation calls
There are a large number of allocations for fix sized buffers using the
`cli_malloc` and `cli_calloc` calls that check if the requested size is
larger than our allocation threshold for allocations based on untrusted
input. These allocations will *always* be higher than the threshold, so
the extra stack frame and check for these calls is a waste of CPU.

This commit replaces needless calls with A -> B:
- cli_malloc -> malloc
- cli_calloc -> calloc
- CLI_MALLOC -> MALLOC
- CLI_CALLOC -> CALLOC

I also noticed that our MPOOL_MALLOC / MPOOL_CALLOC are not limited by
the max-allocation threshold, when MMAP is found/enabled. But the
alternative was set to cli_malloc / cli_calloc when disabled. I changed
those as well.

I didn't change the cli_realloc/2 calls because our version of realloc
not only implements a threshold but also stabilizes the undefined
behavior in realloc to protect against accidental double-free's.
It may be worth implementing a cli_realloc that doesn't have the
threshold built-in, however, so as to allow reallocaitons for things
like buffers for loading signatures, which aren't subject to the same
concern as allocations for scanning possible malware.

There was one case in mbox.c where I changed MALLOC -> CLI_MALLOC,
because it appears to be allocating based on untrusted input.
2024-03-15 13:18:47 -04:00
Micah Snyder
9cb28e51e6 Bump copyright dates for 2024 2024-01-22 11:27:17 -05:00
RainRat
1b17e20571
Fix typos (no functional changes) 2024-01-19 09:08:36 -08:00
RainRat
caf324e544
Fix typos (no functional changes) 2023-11-26 18:01:19 -05:00
Micah Snyder
6eebecc303 Bump copyright for 2023 2023-02-12 11:20:22 -08:00
ragusaa
cdbb4b8a48
Fix divide by zero crash loading LDB signature
If a byte compare subsignature specifies a 0-byte length then the
process may crash with a divide-by-zero exception while loading
the signature.

byte_length had validation for invalid characters, but nothing for a
zero value.  Added validation for a zero value.
2022-06-22 19:38:51 -07:00
ragusaa
d6d7f183bf
Fix heap over-read when loading some LDB signatures
There is a possible heap buffer overflow read when loading some malformed
logical signatures that use the byte-compare feature.

Previously the upper bound for loop in cli_bcomp_freemeta was hardcoded to 2.
But it's possibly for there to be less than 2 items.

This issue is not a vulnerability.

Changed "2" to "bm->comp_count" to avoid going past the end.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43816
2022-05-27 18:02:40 -07:00
Micah Snyder
fd587c741c Image fuzzy hash: new logical sub-signature feature
Add a new logical signature subsignature type for matching on images
with image fuzzy hashes.

Image fuzzy hash subsigantures follow this format:

    fuzzy_img#<hash>#<dist>

In this initial implementation, the hamming distance (dist) is ignored
and only exact fuzzy hash matches will alert.

Fuzzy hash matching is only performed for supported image types.

Also: removed some excessive debug log messages on start-up.

Fixed an issue where the signature name (virname) is being allocated and
stored for every subsignature or even ever sub-pattern in an AC-pattern
(i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard.
This fix is only for LDB subsigs though. NDB signatures are still
allocaing one virname per sub-pattern.

This fix was required because I needed a place to store the virname with
fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig
metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it
wouldn't work because it would cross the C-Rust FFI boundary and giving
pointers to Rust allocated stuff is dicey. Not to mention native Rust
strings are different thatn C strings. Anyways, the correct thing to do
was to store the virname with the actual logical signature.

TODO: Keep track of NDB signatures in the same way and store the virname
for NDB sigs there instead of in AC-patterns so that we can get rid of
the virname field in the AC-pattern struct.
2022-03-02 13:12:59 -07:00
Micah Snyder
2e55c901b1 Fix byte-compare subsignature premature alert
The byte compare feature in logical signatures will cause the rule to
alert if it successfully matches regardless of the rest of the logical
signature.

An easy way to test this is with a logical signature that has two
bcomp subsignatures and requires both to match for the rule to alert.

In the following example, we have 4 signatures where
- the first will match both bcomp subsigs.
- the second will match neither.
- the last two match just one bcomp subsig.

In an --allmatch test, you'll find that the 3 of these match, with the
first one matching *twice*, once for each bcomp subsig.

test.ldb:
```
bcomp.both;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=123);4242;2(>>5#hb2#=255)
bcomp.neither;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=124);4242;2(>>5#hb2#=254)
bcomp.second;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=124);4242;2(>>5#hb2#=255)
bcomp.first;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=123);4242;2(>>5#hb2#=254)
```

test.sample:
```
AA = 7B; BB = FF
```

You can also try a similar test to compare the behavior with regular
ac-pattern-match subsigs with this lsig-test.ldb:
```
pattern.both;Engine:51-255,Target:0;0&1;4141;4242
pattern.neither;Engine:51-255,Target:0;0&1;4140;4241
pattern.second;Engine:51-255,Target:0;0&1;4140;4242
pattern.first;Engine:51-255,Target:0;0&1;4141;4241
```

This commit fixes the issue by incrementing the logical subsignature
count for each bcomp subsig match instead of appending an alert for
each bcomp match.

Also removed call to `lsig_sub_matched()` that didn't do anything.
2022-02-15 20:49:10 -07:00
micasnyd
140c88aa4e Bump copyright for 2022
Includes minor format corrections.
2022-01-09 14:23:25 -07:00
Andy Ragusa
5ea5494f4b Removed unused variable hex 2021-08-18 15:21:55 -07:00
Andy Ragusa
3930ca13d1 Removed Coverity warning about null check after the value is used
Removed Coverity check by declaring subsigid as an array instead
of a pointer that would need to be calloc'd, since the size is
known at compile time.
2021-08-18 15:21:55 -07:00
Andrea De Pasquale
815d086c47 Fix memleak when using multiple byte comp subsigs
The for loop in cli_bcomp_scanbuf contains a few "continue" directives
that do not free the three-bytes subsigid buffer allocated within the
loop. This code path is triggered only when a signature contains more
than one byte compare subsignatures. Over a significant amount of time,
as for example when using clamd, this leads to memory exhaustion.
2021-06-20 19:26:19 -07:00
Andrew
f8627725c1 Address feedback from review on PR#485 2021-04-02 12:58:12 -07:00
Andrew
1bad40b8ee More coverity issue fixes (mostly error handling)
- 192959 Resource leak - In cli_bcomp_compare_check: Leak of
   memory or pointers to system resources. Several fail cases
   could lead to `buffer` or `tmp_buffer` being leaked

 - 192934 Resource leak - In cli_bcomp_normalize_buffer: Leak of
   memory or pointers to system resources. `hex_buffer` leaked
   under certain conditions

 - 185977 Resource leak - In ole2_process_property: Leak of memory
   or pointers to system resources. A fail case could lead to
   `outstr` and `outstr2` being leaked

 - 185941 Resource leak - In header_cb (clamsubmit): Leak of
   memory or pointers to system resources. A fail case could lead
   to `mem` being leaked

 - 185925 Resource leak - In load_oneyara: Leak of memory or
   pointers to system resources. Several fail cases could lead
   to `newident` being leaked

 - 185918 Resource leak - In parsehwp3_docsummary: Leak of memory
   or pointers to system resources. Not actually a leak, but
   caused by checking for a condition that can’t occur.

 - 185915 Resource leak - In parsehwp3_docinfo: Leak of memory or
   pointers to system resources.  Not actually a leak, but caused
   by checking for a condition that can’t occur.

 - 147644 Resource leak - In tcpserver: Leak of memory or pointers
   to system resources. A fail case could lead to `info` being leaked

 - 147642 Resource leak - In onas_ht_add_hierarchy: Leak of memory
   or pointers to system resources. Several fail cases could lead
   to `hnode` or `elem` memory leaks
2021-04-02 12:58:12 -07:00
Micah Snyder (micasnyd)
b9ca6ea103 Update copyright dates for 2021
Also fixes up clang-format.
2021-03-19 15:12:26 -07:00
Mickey Sola
da506b6178 bcomp - limit check subsigid 2020-01-30 15:01:35 -08:00
Mickey Sola
9ecbda8105 bcomp - fix memory leak caused by allocation of heap space for subsigid when setting up byte compare scan criteria in cli_bcomp_scanbuf 2020-01-30 15:01:35 -08:00
Micah Snyder
206dbaefe8 Update copyright dates for 2020 2020-01-03 15:44:07 -05:00
Micah Snyder
bcb4505e60 bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map. 2019-10-02 16:08:30 -04:00
Micah Snyder
ca8b4c466e Assortment of warning fixes. 2019-10-02 16:08:25 -04:00
Micah Snyder
ee40795fe2 Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior. 2019-10-02 16:08:25 -04:00
Micah Snyder
5f4f69102d Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings. 2019-10-02 16:08:25 -04:00
Paul Arthur
f5ca0ae757 Fix buffer length check
It is possible for bm->offset to be negative and (offset + bm->offset)
to be positive, in which case the bounds check was incorrectly skipped,
which could result in a segfault.

    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  0x00007fea90598db0 in cli_bcomp_compare_check (
        f_buffer=0x7fea5c9e3a3e <error: Cannot access memory at address 0x7fea5c9e3a3e>, f_buffer@entry=0x7fea5c98c1ba "\001\030\001\030",
        buffer_length=buffer_length@entry=2590, offset=<optimized out>,
        bm=bm@entry=0x7fea7289f9c8) at matcher-byte-comp.c:720
2019-10-02 16:08:21 -04:00
Mickey Sola
b8b993f2d4 bcomp - jira826 - fix off by one write during byte compare normalization found while doing ASAN testing 2019-10-02 16:08:21 -04:00
Micah Snyder
52cddcbcfd Updating and cleaning up copyright notices. 2019-10-02 16:08:18 -04:00
Micah Snyder
b3e82e5e61 Replacing libclamav/cltypes.h with clamav-types.h.in, which generates a header clamav-types.h that we install alongside clamav.h. 2019-10-02 16:08:17 -04:00
Micah Snyder
72fd33c8b2 clang-format'd using new .clang-format rules. 2019-10-02 16:08:16 -04:00
Mickey Sola
29267a8859 bcomp - removing const qualifier from working comp buffers 2018-12-02 23:07:08 -05:00
Mickey Sola
dbb60dc9a8 bcomp - fixing signedness issue with large extracted binary values 2018-12-02 23:07:08 -05:00
Mickey Sola
821b1f5182 bcomp - fixing issue where whitespace normalization buffer wasn't being freed, fixing issue where little endian normalization was being done on the file buffer and not the normalized whitepsace buffer, fixed issue where auto detection wasn't being done on normalized whitespace buffer 2018-12-02 23:07:04 -05:00
Mickey Sola
4bc3b6c3c1 bcomp - fixing issue with little-endian odd-nibble hex evaluation where the normalized numbered of bytes were not being read via strntoul 2018-12-02 23:07:04 -05:00
Mickey Sola
ad94912c86 bcomp - fixing issue where autodetect would not identify decimals when bytelen was less than 3, fixing issue with little endian hex normalization where unwanted nibbles were being evaluated 2018-12-02 23:07:04 -05:00
Mickey Sola
371d43083d bcomp - fixing issue with whitespacing padding, fixing issue with little endian extraction of odd nibbled hex sequences, refactoring hex/decimal auto checking and hex buffer normalization code, fixing issue with normalization where it was possible to evaluate unwanted hex bytes, fixing issue with big endian conversion of decimal extracted sequence values after use of cli_strntoul 2018-12-02 23:07:04 -05:00
Mickey Sola
6ad41ab25f bcomp - fixing case where automatic detection would fail against little endian hex values; removing code for little endian decimal support; fixing some clang warnings; fixes for hexidecimal detection in sli_strnto functions; updating documentation 2018-12-02 23:07:04 -05:00
Mickey Sola
65a6842272 bcomp - normalizing buffer for little endian hex comparison and simplifying automatic hex or decimal checks 2018-12-02 23:07:04 -05:00
Mickey Sola
85f528e8aa bcomp - adding option for automatic detection and extraction of decimal or hex values from the buffer 2018-12-02 23:07:04 -05:00
Mickey Sola
d7d58a5847 bcomp - changing map to use original scan buffer to account for normalization offset discrepancies--patch based on suggested solution by Micah 2018-12-02 23:07:04 -05:00
Mickey Sola
dc3b273fbc bcomp - adding comma seperated comparison statement evaluations for single subsigs 2018-12-02 23:07:04 -05:00
Mickey Sola
4617e707c9 bcomp - adding ac_chklsig verification to fix reference subsig match checking; fixing double result print when using all match; fix to ensure extracted binary bytes retain their signedness 2018-12-02 23:07:04 -05:00
Mickey Sola
70170a6600 bcomp - updating messaging output to be consistent across the matcher file 2018-12-02 23:07:03 -05:00
Mickey Sola
178d030380 bcomp - updating and fixing binary extraction based on Micah's suggested solution; adding ability to compare and extract negative values 2018-12-02 23:07:03 -05:00
Mickey Sola
b7001d680e bcomp - revamping option parsing; adding binary byte extraction; adding exact byte length matching option 2018-12-02 23:07:03 -05:00
Mickey Sola
2b6c456a1b bcomp - updates and fixes following code review 2018-12-02 23:07:03 -05:00
Mickey Sola
f662034bc1 bcomp - adding initial sigtool support for byte compare signatures 2018-12-02 23:07:03 -05:00
Mickey Sola
88567a4291 bcomp - adding best effort matching when no offset is found for a referenced subsigid 2018-12-02 23:07:03 -05:00