From d628bbc0f6b9e4a9c667cfa52fb4e6a02e5637a6 Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Fri, 19 Apr 2024 16:26:00 -0400 Subject: [PATCH] Fix bug when collect-metadata is enabled and caching is disabled If SCAN_COLLECT_METADATA is enabled, and caching is disabled, we zero-out the hash after recording it. This results in a non-NULL and invalid-hash that may be passed to `cli_scan_fmap()` for the "raw mode" scan. It's an uncommon code path, but would result in comparing hash-sigs with a zeroed hash rather than the valid hash. This bug could result in a missed hash-based sig matches. There is no reason to invalidate or zero-out the hash if we happen to calculate it. We avoid the cache-lookup by checking the engine setting, not by checking if we have a hash. --- libclamav/scanners.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libclamav/scanners.c b/libclamav/scanners.c index 8aab626131..8cc19297af 100644 --- a/libclamav/scanners.c +++ b/libclamav/scanners.c @@ -4443,9 +4443,6 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type) hash[8], hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15]); ret = cli_jsonstr(ctx->wrkproperty, "FileMD5", hashstr); - if (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) { - memset(hash, 0, CLI_HASHLEN_MD5); - } if (ret != CL_SUCCESS) { cli_dbgmsg("cli_magic_scan: returning %d %s (no post, no cache)\n", ret, __AT__); goto early_ret; @@ -4498,7 +4495,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type) * If self protection mechanism enabled, do the scanraw() scan first * before extracting with a file type parser. */ - ret = scanraw(ctx, type, 0, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash); + ret = scanraw(ctx, type, 0, &dettype, hash); // Evaluate the result from the scan to see if it end the scan of this layer early, // and to decid if we should propagate an error or not. @@ -4935,7 +4932,7 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type) /* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */ if (type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(SCAN_PARSE_HTML) || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) { - ret = scanraw(ctx, type, typercg, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash); + ret = scanraw(ctx, type, typercg, &dettype, hash); // Evaluate the result from the scan to see if it end the scan of this layer early, // and to decid if we should propagate an error or not.