Hi Mark, I'm curious if there are any particular files that it scans that causes a seek to fail / causes the CL_ESEEK error to bubble up to that switch statement in magic_scandesc(). I wouldn't be surprised if an invalid offset in a file header caused a seek to an invalid offset. I don't know if APFS handles seeks to offsets outside of the actual file differently than other file systems. What is more typical is a read error if you seek outside of the file and then read. Anyhow, if you can identify any samples that cause the issue I'd like to test with it.
Can you send us your patch to tweak the switch statement for review? I agree that a seek error in one file shouldn't halt the entire scan. Cheers, Micah Micah Snyder Software Engineer Talos Intelligence Cisco Systems, Inc. -----Original Message----- From: clamav-devel [mailto:[email protected]] On Behalf Of Mark Allan Sent: Friday, October 27, 2017 10:44 AM To: ClamAV Development <[email protected]> Subject: [Clamav-devel] Why is error 13 fatal? Hi there, For a while now, ClamAV 0.99.2 has been terminating unexpectedly with error 13 when running on the latest version of OS X (macOS 10.13) but only on drives formatted with the new APFS, so I chalked it up to an APFS issue and reported it to Apple. Today, however, I received a report of the same thing from someone whose hard drive is formatted with the old standard HFS+. There's nothing of note in the scan output, even when run with --debug, and it gives the error at a different point every time. Sometimes it occurs after a couple of minutes, sometimes it can be an hour into the scan. I've had a look at the ClamAV source to see what's causing error 13 and it seems to correspond to CL_ESEEK. Looking in libclamav/scanners.c, I can see a switch statement that causes the scan to abort when the result from cli_scanraw(...) is CL_ESEEK. Can anyone think why the error would be occurring, and is there a particular reason why experiencing error 13 on one file should cause the rest of the scan to be aborted? Finally, is it safe to tweak that switch statement to log the error and continue scanning rather than stopping? It appears to work, but I'm not sure what knock-on effect it might have. Many thanks Mark _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
