Logical signature hook for bytecode.

libclamav/bytecode.c

@@ -31,6 +31,9 @@
 #include "readdb.h"
 #include <string.h>
 
+/* TODO: we should make sure lsigcnt is never NULL, and has at least as many
+ * elements as the bytecode needs */
+static const uint32_t nomatch[64];
 struct cli_bc_ctx *cli_bytecode_context_alloc(void)
 {
     struct cli_bc_ctx *ctx = cli_malloc(sizeof(*ctx));
@@ -41,6 +44,8 @@ struct cli_bc_ctx *cli_bytecode_context_alloc(void)
     ctx->opsizes = NULL;
     ctx->fd = -1;
     ctx->off = 0;
+    ctx->lsigcnt = nomatch;
+    ctx->virname = NULL;
     return ctx;
 }
 
@@ -967,6 +972,8 @@ static int parseBB(struct cli_bc *bc, unsigned func, unsigned bb, unsigned char
 	    default:
 		numOp = operand_counts[inst.opcode];
 		switch (numOp) {
+		    case 0:
+			break;
 		    case 1:
 			inst.u.unaryop = readOperand(bcfunc, buffer, &offset, len, &ok);
 			break;
@@ -980,7 +987,7 @@ static int parseBB(struct cli_bc *bc, unsigned func, unsigned bb, unsigned char
 			inst.u.three[2] = readOperand(bcfunc, buffer, &offset, len, &ok);
 			break;
 		    default:
-			cli_errmsg("Opcode with too many operands: %u?\n", numOp);
+			cli_errmsg("Opcode %u with too many operands: %u?\n", inst.opcode, numOp);
 			ok = 0;
 			break;
 		}
@@ -1398,3 +1405,30 @@ int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, int fd)
     return 0;
 }
 
+int cli_bytecode_runlsig(const struct cli_all_bc *bcs, const struct cli_bc *bc, const char **virname, const uint32_t* lsigcnt, int fd)
+{
+    int ret;
+    struct cli_bc_ctx ctx;
+    memset(&ctx, 0, sizeof(ctx));
+    cli_bytecode_context_setfuncid(&ctx, bc, 0);
+    ctx.lsigcnt = lsigcnt;
+    cli_bytecode_context_setfile(&ctx, fd);
+
+    cli_dbgmsg("Running bytecode for logical signature match\n");
+    ret = cli_bytecode_run(bcs, bc, &ctx);
+    if (ret != CL_SUCCESS) {
+	cli_warnmsg("Bytcode failed to run: %s\n", cl_strerror(ret));
+	return CL_SUCCESS;
+    }
+    if (ctx.virname) {
+	cli_dbgmsg("Bytecode found virus: %s\n", ctx.virname);
+	if (virname)
+	    *virname = ctx.virname;
+	cli_bytecode_context_clear(&ctx);
+	return CL_VIRUS;
+    }
+    ret = cli_bytecode_context_getresult_int(&ctx);
+    cli_dbgmsg("Bytecode returned code: %u\n", ret);
+    cli_bytecode_context_clear(&ctx);
+    return CL_SUCCESS;
+}

libclamav/bytecode.h

@@ -81,6 +81,9 @@ int cli_bytecode_run(const struct cli_all_bc *bcs, const struct cli_bc *bc, stru
 void cli_bytecode_destroy(struct cli_bc *bc);
 int cli_bytecode_done(struct cli_all_bc *allbc);
 
+/* Hooks */
+int cli_bytecode_runlsig(const struct cli_all_bc *bcs, const struct cli_bc* bc, const char **virname, const uint32_t* lsigcnt, int fd);
+
 #ifdef __cplusplus
 extern "C" {
 #endif

libclamav/bytecode_api.c

@@ -80,3 +80,11 @@ uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t a, uint32_t
 {
     cli_dbgmsg("bytecode debug: %u\n", a);
 }
+
+/*TODO: compiler should make sure that only constants are passed here, and not
+ * pointers to arbitrary locations that may not be valid when bytecode finishes
+ * executing */
+uint32_t cli_bcapi_setvirusname(struct cli_bc_ctx* ctx, const uint8_t *name, uint32_t len)
+{
+    ctx->virname = name;
+}

libclamav/bytecode_api.h

@@ -48,6 +48,9 @@ enum {
  * start of file */
 int32_t seek(int32_t pos, uint32_t whence);
 
+/* Set the name of the virus we have found */
+uint32_t setvirusname(const uint8_t *name, uint32_t len);
+
 uint32_t debug_print_str(const uint8_t *str, uint32_t len);
 uint32_t debug_print_uint(uint32_t a, uint32_t b);
 //const char *LogicalSignature;

libclamav/bytecode_api_decl.c

@@ -28,6 +28,7 @@ uint32_t cli_bcapi_test0(struct cli_bc_ctx *ctx, struct foo*, uint32_t);
 uint32_t cli_bcapi_test1(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
 int32_t cli_bcapi_read(struct cli_bc_ctx *ctx, uint8_t*, int32_t);
 int32_t cli_bcapi_seek(struct cli_bc_ctx *ctx, int32_t, uint32_t);
+uint32_t cli_bcapi_setvirusname(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_debug_print_str(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
 
@@ -52,7 +53,8 @@ const struct cli_apicall cli_apicalls[]={
 	{"test1", 3, 0, 0},
 	{"read", 4, 1, 1},
 	{"seek", 3, 1, 0},
-	{"debug_print_str", 4, 2, 1},
+	{"setvirusname", 4, 2, 1},
+	{"debug_print_str", 4, 3, 1},
 	{"debug_print_uint", 3, 2, 0}
 /* Bytecode APIcalls END */
 };
@@ -64,6 +66,7 @@ const cli_apicall_int2 cli_apicalls0[] = {
 const cli_apicall_pointer cli_apicalls1[] = {
 	(cli_apicall_pointer)cli_bcapi_test0,
 	(cli_apicall_pointer)cli_bcapi_read,
+	(cli_apicall_pointer)cli_bcapi_setvirusname,
 	(cli_apicall_pointer)cli_bcapi_debug_print_str
 };
 const unsigned cli_apicall_maxapi = sizeof(cli_apicalls)/sizeof(cli_apicalls[0]);

libclamav/bytecode_api_impl.h

@@ -25,5 +25,8 @@ uint32_t cli_bcapi_test1(struct cli_bc_ctx *, uint32_t, uint32_t);
 
 int32_t cli_bcapi_read(struct cli_bc_ctx*, uint8_t *data, int32_t size);
 int32_t cli_bcapi_seek(struct cli_bc_ctx*, int32_t pos, uint32_t whence);
+
+uint32_t cli_bcapi_setvirusname(struct cli_bc_ctx*, const uint8_t *name, uint32_t len);
+
 uint32_t cli_bcapi_debug_print_str(struct cli_bc_ctx *ctx, const uint8_t*, uint32_t);
 uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t, uint32_t);

libclamav/bytecode_priv.h

@@ -99,6 +99,7 @@ struct cli_bc_ctx {
     off_t off;
     int fd;
     const uint32_t *lsigcnt;
+    const char *virname;
 };
 struct cli_all_bc;
 int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct cli_bc_func *func, const struct cli_bc_inst *inst);

libclamav/c++/Makefile.am

@@ -13,7 +13,7 @@
 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 #  MA 02110-1301, USA.
 
-AM_CPPFLAGS = -I$(top_srcdir)/../.. -I$(top_srcdir)/..
+AM_CPPFLAGS = -I$(top_srcdir)/../.. -I$(top_srcdir)/.. -I$(top_builddir)/../../
 ACLOCAL_AMFLAGS=-I m4
 if DEBUG_BUILD
 LLVM_CONFIG=llvm/Debug/bin/llvm-config

libclamav/c++/Makefile.in

@@ -933,7 +933,7 @@ target_vendor = @target_vendor@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-AM_CPPFLAGS = -I$(top_srcdir)/../.. -I$(top_srcdir)/..
+AM_CPPFLAGS = -I$(top_srcdir)/../.. -I$(top_srcdir)/.. -I$(top_builddir)/../../
 ACLOCAL_AMFLAGS = -I m4
 @DEBUG_BUILD_FALSE@LLVM_CONFIG = llvm/Release/bin/llvm-config
 @DEBUG_BUILD_TRUE@LLVM_CONFIG = llvm/Debug/bin/llvm-config

libclamav/c++/bytecode2llvm.cpp

@@ -57,6 +57,15 @@
 #ifndef LLVM_MULTITHREADED
 #error "Multithreading support must be available to LLVM!"
 #endif
+
+#ifdef HAVE_CONFIG_H
+#undef PACKAGE_BUGREPORT
+#undef PACKAGE_NAME
+#undef PACKAGE_STRING
+#undef PACKAGE_TARNAME
+#undef PACKAGE_VERSION
+#include "clamav-config.h"
+#endif
 #include "clamav.h"
 #include "clambc.h"
 #include "bytecode_priv.h"
@@ -344,7 +353,6 @@ public:
     {}
 
     bool generate() {
-	PrettyStackTraceString Trace(BytecodeID.str().c_str());
 	TypeMap = new LLVMTypeMapper(Context, bc->types + 4, bc->num_types - 5);
 
 	FunctionType *FTy = FunctionType::get(Type::getVoidTy(Context),
@@ -602,6 +610,9 @@ public:
 			case OP_BC_RET:
 			    Builder.CreateRet(Op0);
 			    break;
+			case OP_BC_RET_VOID:
+			    Builder.CreateRetVoid();
+			    break;
 			case OP_BC_ICMP_EQ:
 			    Store(inst->dest, Builder.CreateICmpEQ(Op0, Op1));
 			    break;
@@ -651,7 +662,8 @@ public:
 			    }
 			    CallInst *CI = Builder.CreateCall(DestF, args.begin(), args.end());
 			    CI->setCallingConv(CallingConv::Fast);
-			    Store(inst->dest, CI);
+			    if (CI->getType()->getTypeID() != Type::VoidTyID)
+				Store(inst->dest, CI);
 			    break;
 			}
 			case OP_BC_CALL_API:
@@ -904,6 +916,8 @@ int bytecode_init(void)
     llvm_install_error_handler(llvm_error_handler);
 #ifdef CL_DEBUG
     sys::PrintStackTraceOnErrorSignal();
+#else
+    llvm::DisablePrettyStackTrace = true;
 #endif
     atexit(do_shutdown);
 

libclamav/matcher.c

@@ -318,7 +318,7 @@ int cli_checkfp(int fd, cli_ctx *ctx)
 
 int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode)
 {
- 	unsigned char *buffer, *buff, *endbl, *upt;
+        unsigned char *buffer, *buff, *endbl, *upt;
 	int ret = CL_CLEAN, type = CL_CLEAN, bytes;
 	unsigned int i, evalcnt;
 	uint32_t buffersize, length, maxpatlen, shift = 0, offset = 0;
@@ -459,10 +459,16 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
 	    evalcnt = 0;
 	    evalids = 0;
 	    if(cli_ac_chklsig(troot->ac_lsigtable[i]->logic, troot->ac_lsigtable[i]->logic + strlen(troot->ac_lsigtable[i]->logic), tdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
-		if(ctx->virname)
-		    *ctx->virname = troot->ac_lsigtable[i]->virname;
-		ret = CL_VIRUS;
-		break;
+		if (!troot->ac_lsigtable[i]->bc) {
+		    if(ctx->virname)
+			*ctx->virname = troot->ac_lsigtable[i]->virname;
+		    ret = CL_VIRUS;
+		    break;
+		}
+		if (cli_bytecode_runlsig(&ctx->engine->bcs, troot->ac_lsigtable[i]->bc, ctx->virname, tdata.lsigcnt[i], desc) == CL_VIRUS) {
+		    ret = CL_VIRUS;
+		    break;
+		}
 	    }
 	}
 	cli_ac_freedata(&tdata);
@@ -473,10 +479,16 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
 	    evalcnt = 0;
 	    evalids = 0;
 	    if(cli_ac_chklsig(groot->ac_lsigtable[i]->logic, groot->ac_lsigtable[i]->logic + strlen(groot->ac_lsigtable[i]->logic), gdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
-		if(ctx->virname)
-		    *ctx->virname = groot->ac_lsigtable[i]->virname;
-		ret = CL_VIRUS;
-		break;
+		if (!groot->ac_lsigtable[i]->bc) {
+		    if(ctx->virname)
+			*ctx->virname = groot->ac_lsigtable[i]->virname;
+		    ret = CL_VIRUS;
+		    break;
+		}
+		if (cli_bytecode_runlsig(&ctx->engine->bcs, groot->ac_lsigtable[i]->bc, ctx->virname, gdata.lsigcnt[i], desc) == CL_VIRUS) {
+		    ret = CL_VIRUS;
+		    break;
+		}
 	    }
 	}
 	cli_ac_freedata(&gdata);

libclamav/readdb.c

@@ -882,6 +882,16 @@ static int load_oneldb(char *buffer, int chkpua, int chkign, struct cl_engine *e
 	cli_errmsg("cli_loadldb: Broken logical expression or too many subsignatures\n");
 	return CL_EMALFDB;
     }
+    if (!line) {
+	/* This is a logical signature from the bytecode, we need all
+	 * subsignatures, even if not referenced from the logical expression */
+	if (subsigs > tokens_count-3) {
+	    cli_errmsg("load_oneldb: Too many subsignatures: %u (max %u)\n",
+		       subsigs, tokens_count-3);
+	    return CL_EMALFDB;
+	}
+	subsigs = tokens_count-3;
+    }
 
     /* TDB */
     memset(&tdb, 0, sizeof(tdb));
@@ -937,7 +947,7 @@ static int load_oneldb(char *buffer, int chkpua, int chkign, struct cl_engine *e
     root->ac_lsigtable = newtable;
 
     for(i = 0; i < subsigs; i++) {
-	if(i >= tokens_count) {
+	if(i+3 >= tokens_count) {
 	    cli_errmsg("cli_loadldb: Missing subsignature id %u\n", i);
 	    return CL_EMALFDB;
 	}

unit_tests/input/lsig.cbc

@@ -1,7 +1,11 @@
-ClamBCaa`|`````|`aoaap`clamcoincidencejb
+ClamBCaa`|`````|`bbaabp`clamcoincidencejb
 L;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d
-Tedebndebmdebldebkdebadebcddadb`bdagahdaiahdaeah
-E``
-GalbndBafBafBbfBbf@`bmdBffBffBffBffBffBffBffBff@`bndBffB`cB`cBdf@`bldBafBafBcfBcfBefBef@`bad@@`bad@Aa`bad@Ab`bad@Ac`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h`
-A`b`bLacb`baab`bFadaa
-Bb`b`gbAh`aaaaeab`b`Abdb`bab`aaaTcab`babE
+Tedebaeeb`eebodebndebmdebadebcdacb`bbadb`bdadb`bdakahdagahdaiahdaeah
+Eaeaaaebld|amcgefdgfgifbgegcgnfafmfef``
+GanbaeBafBafBbfBbf@`b`eBffBffBffBffBffBffBffBff@`baeBffB`cB`cBdf@`bodBafBafBcfBcfBefBef@`bndBdeBbgBofBjfBafBnfBnbBfdBodBod@`bad@@`bad@Aa`bad@Ab`bad@Ac`bad@Ad`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h`
+A`b`bLacb`baa`Fafac
+Bb`b`gbAj`aaaaeab`b`AbdTaaaaaaab
+B```b`abTcab`b@d
+BTcab`b@dE
+A``Laab`bFabaa
+Bb`b`abbaeAi`@dTdaE