GitList

libclamav/matcher-bm.c

8000d078	/*
77c98d59	* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
52cddcbc	* Copyright (C) 2007-2013 Sourcefire, Inc.
2023340a	* * Authors: Tomasz Kojm
8000d078	* * This program is free software; you can redistribute it and/or modify
bb34cb31	* it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation.
8000d078	* * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software
48b7b4a7	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA.
8000d078	*/
bedc58de	#if HAVE_CONFIG_H #include "clamav-config.h" #endif #include <stdio.h>
563582a1	#include <assert.h>
b2e7c931
8000d078	#include "clamav.h" #include "memory.h" #include "others.h"
b68d11d2	#include "matcher.h"
079229d6	#include "matcher-bm.h"
73218de2	#include "filetypes.h"
3e975a60	#include "filtering.h"
8000d078
b94e66c4	#include "mpool.h"
72fd33c8	#define BM_MIN_LENGTH 3 #define BM_BLOCK_SIZE 3 #define HASH(a, b, c) (211 * a + 37 * b + c)
8000d078
5f4f6910	cl_error_t cli_bm_addpatt(struct cli_matcher root, struct cli_bm_patt pattern, const char *offset)
8000d078	{
72fd33c8	uint16_t idx, i; const unsigned char pt = pattern->pattern; struct cli_bm_patt prev, *next = NULL;
5f4f6910	cl_error_t ret;
72fd33c8	if (pattern->length < BM_MIN_LENGTH) { cli_errmsg("cli_bm_addpatt: Signature for %s is too short\n", pattern->virname); return CL_EMALFDB;
8000d078	}
5f4f6910	if (CL_SUCCESS != (ret = cli_caloff(offset, NULL, root->type, pattern->offdata, &pattern->offset_min, &pattern->offset_max))) {
72fd33c8	cli_errmsg("cli_bm_addpatt: Can't calculate offset for signature %s\n", pattern->virname); return ret;
33872a43	}
72fd33c8	if (pattern->offdata[0] != CLI_OFF_ANY) { if (pattern->offdata[0] == CLI_OFF_ABSOLUTE) root->bm_absoff_num++; else root->bm_reloff_num++;
aca9ea82	}
33872a43
aa47fb3b	/* bm_offmode doesn't use the prefilter for BM signatures anyway, so * don't add these to the filter. */
72fd33c8	if (root->filter && !root->bm_offmode) { /* the bm_suffix load balancing below can shorten the sig,
02eabc6d	* we want to see the entire signature! */
72fd33c8	if (filter_add_static(root->filter, pattern->pattern, pattern->length, pattern->virname) == -1) { cli_warnmsg("cli_bm_addpatt: cannot use filter for trie\n");
ee40795f	MPOOL_FREE(root->mempool, root->filter);
72fd33c8	root->filter = NULL; } /* TODO: should this affect maxpatlen? */
02eabc6d	}
ab1db3b3	#if BM_MIN_LENGTH == BM_BLOCK_SIZE /* try to load balance bm_suffix (at the cost of bm_shift) */
72fd33c8	for (i = 0; i < pattern->length - BM_BLOCK_SIZE + 1; i++) { idx = HASH(pt[i], pt[i + 1], pt[i + 2]); if (!root->bm_suffix[idx]) { if (i) { pattern->prefix = pattern->pattern; pattern->prefix_length = i; pattern->pattern = &pattern->pattern[i]; pattern->length -= i; pt = pattern->pattern; } break; }
8000d078	}
ab1db3b3	#endif
8000d078
72fd33c8	for (i = 0; i <= BM_MIN_LENGTH - BM_BLOCK_SIZE; i++) { idx = HASH(pt[i], pt[i + 1], pt[i + 2]); root->bm_shift[idx] = MIN(root->bm_shift[idx], BM_MIN_LENGTH - BM_BLOCK_SIZE - i);
ab1db3b3	}
8000d078	prev = next = root->bm_suffix[idx];
72fd33c8	while (next) { if (pt[0] >= next->pattern0) break; prev = next; next = next->next;
8000d078	}
72fd33c8	if (next == root->bm_suffix[idx]) { pattern->next = root->bm_suffix[idx]; if (root->bm_suffix[idx]) pattern->cnt = root->bm_suffix[idx]->cnt; root->bm_suffix[idx] = pattern;
8000d078	} else {
72fd33c8	pattern->next = prev->next; prev->next = pattern;
8000d078	}
f70b93e1	pattern->pattern0 = pattern->pattern[0];
ab1db3b3	root->bm_suffix[idx]->cnt++;
8000d078
72fd33c8	if (root->bm_offmode) {
ee40795f	root->bm_pattab = (struct cli_bm_patt *)MPOOL_REALLOC2(root->mempool, root->bm_pattab, (root->bm_patterns + 1) sizeof(struct cli_bm_patt *));
72fd33c8	if (!root->bm_pattab) { cli_errmsg("cli_bm_addpatt: Can't allocate memory for root->bm_pattab\n"); return CL_EMEM; } root->bm_pattab[root->bm_patterns] = pattern; if (pattern->offdata[0] != CLI_OFF_ABSOLUTE) pattern->offset_min = root->bm_patterns;
006f5fe6	}
4addba22	root->bm_patterns++;
ab1db3b3	return CL_SUCCESS;
8000d078	}
5f4f6910	cl_error_t cli_bm_init(struct cli_matcher *root)
8000d078	{
72fd33c8	uint16_t i, size = HASH(255, 255, 255) + 1;
563582a1	#ifdef USE_MPOOL
72fd33c8	assert(root->mempool && "mempool must be initialized");
563582a1	#endif
006f5fe6
ee40795f	if (!(root->bm_shift = (uint8_t *)MPOOL_CALLOC(root->mempool, size, sizeof(uint8_t))))
72fd33c8	return CL_EMEM;
8000d078
ee40795f	if (!(root->bm_suffix = (struct cli_bm_patt *)MPOOL_CALLOC(root->mempool, size, sizeof(struct cli_bm_patt )))) { MPOOL_FREE(root->mempool, root->bm_shift);
72fd33c8	return CL_EMEM;
8000d078	}
72fd33c8	for (i = 0; i < size; i++) root->bm_shift[i] = BM_MIN_LENGTH - BM_BLOCK_SIZE + 1;
8000d078
ab1db3b3	return CL_SUCCESS;
8000d078	}
5f4f6910	cl_error_t cli_bm_initoff(const struct cli_matcher root, struct cli_bm_off data, const struct cli_target_info *info)
006f5fe6	{
5f4f6910	cl_error_t ret;
72fd33c8	unsigned int i; struct cli_bm_patt *patt; if (!root->bm_patterns) { data->offtab = data->offset = NULL; data->cnt = data->pos = 0; return CL_SUCCESS;
006f5fe6	} data->cnt = data->pos = 0;
72fd33c8	data->offtab = (uint32_t )cli_malloc(root->bm_patterns sizeof(uint32_t)); if (!data->offtab) { cli_errmsg("cli_bm_initoff: Can't allocate memory for data->offtab\n"); return CL_EMEM;
006f5fe6	}
72fd33c8	data->offset = (uint32_t )cli_malloc(root->bm_patterns sizeof(uint32_t)); if (!data->offset) { cli_errmsg("cli_bm_initoff: Can't allocate memory for data->offset\n"); free(data->offtab); return CL_EMEM;
006f5fe6	}
72fd33c8	for (i = 0; i < root->bm_patterns; i++) { patt = root->bm_pattab[i]; if (patt->offdata[0] == CLI_OFF_ABSOLUTE) { data->offtab[data->cnt] = patt->offset_min + patt->prefix_length; if (data->offtab[data->cnt] >= info->fsize) continue; data->cnt++;
5f4f6910	} else if (CL_SUCCESS != (ret = cli_caloff(NULL, info, root->type, patt->offdata, &data->offset[patt->offset_min], NULL))) {
72fd33c8	cli_errmsg("cli_bm_initoff: Can't calculate relative offset in signature for %s\n", patt->virname); free(data->offtab); free(data->offset); return ret; } else if ((data->offset[patt->offset_min] != CLI_OFF_NONE) && (data->offset[patt->offset_min] + patt->length <= info->fsize)) { if (!data->cnt \|\| (data->offset[patt->offset_min] + patt->prefix_length != data->offtab[data->cnt - 1])) { data->offtab[data->cnt] = data->offset[patt->offset_min] + patt->prefix_length; if (data->offtab[data->cnt] >= info->fsize) continue; data->cnt++; } }
006f5fe6	}
424d41d3	cli_qsort(data->offtab, data->cnt, sizeof(uint32_t), NULL);
006f5fe6	return CL_SUCCESS; }
e6f5ac51	void cli_bm_freeoff(struct cli_bm_off *data)
006f5fe6	{
e6f5ac51	free(data->offset); data->offset = NULL; free(data->offtab); data->offtab = NULL;
006f5fe6	}
5612732c	void cli_bm_free(struct cli_matcher *root)
8000d078	{
72fd33c8	struct cli_bm_patt patt, prev; uint16_t i, size = HASH(255, 255, 255) + 1; if (root->bm_shift)
ee40795f	MPOOL_FREE(root->mempool, root->bm_shift);
72fd33c8	if (root->bm_pattab)
ee40795f	MPOOL_FREE(root->mempool, root->bm_pattab);
72fd33c8	if (root->bm_suffix) { for (i = 0; i < size; i++) { patt = root->bm_suffix[i]; while (patt) { prev = patt; patt = patt->next; if (prev->prefix)
ee40795f	MPOOL_FREE(root->mempool, prev->prefix);
72fd33c8	else
ee40795f	MPOOL_FREE(root->mempool, prev->pattern);
72fd33c8	if (prev->virname)
ee40795f	MPOOL_FREE(root->mempool, prev->virname); MPOOL_FREE(root->mempool, prev);
72fd33c8	} }
ee40795f	MPOOL_FREE(root->mempool, root->bm_suffix);
d4fb658e	}
8000d078	}
5f4f6910	cl_error_t cli_bm_scanbuff(const unsigned char buffer, uint32_t length, const char virname, const struct cli_bm_patt patt, const struct cli_matcher root, uint32_t offset, const struct cli_target_info info, struct cli_bm_off offdata, cli_ctx *ctx)
8000d078	{
72fd33c8	uint32_t i, j, off, off_min, off_max; uint8_t found, pchain, shift; uint16_t idx, idxchk; struct cli_bm_patt p; const unsigned char bp, *pt; unsigned char prefix;
5f4f6910	cl_error_t ret; int viruses_found = 0;
8000d078
72fd33c8	if (!root \|\| !root->bm_shift) return CL_CLEAN;
cdbf8c8e
72fd33c8	if (length < BM_MIN_LENGTH) return CL_CLEAN;
cd4db869
006f5fe6	i = BM_MIN_LENGTH - BM_BLOCK_SIZE;
72fd33c8	if (offdata) { if (!offdata->cnt) return CL_CLEAN; if (offdata->pos == offdata->cnt) offdata->pos--; for (; offdata->pos && offdata->offtab[offdata->pos] > offset; offdata->pos--) ; if (offdata->offtab[offdata->pos] < offset) offdata->pos++; if (offdata->pos >= offdata->cnt) return CL_CLEAN; i += offdata->offtab[offdata->pos] - offset;
006f5fe6	}
72fd33c8	for (; i < length - BM_BLOCK_SIZE + 1;) { idx = HASH(buffer[i], buffer[i + 1], buffer[i + 2]); shift = root->bm_shift[idx]; if (shift == 0) { prefix = buffer[i - BM_MIN_LENGTH + BM_BLOCK_SIZE]; p = root->bm_suffix[idx]; if (p && p->cnt == 1 && p->pattern0 != prefix) { if (offdata) { off = offset + i - BM_MIN_LENGTH + BM_BLOCK_SIZE; for (; offdata->pos < offdata->cnt && off >= offdata->offtab[offdata->pos]; offdata->pos++) ; if (offdata->pos == offdata->cnt \|\| off >= offdata->offtab[offdata->pos]) { if (viruses_found) return CL_VIRUS; return CL_CLEAN; } i += offdata->offtab[offdata->pos] - off; } else { i++; } continue; } pchain = 0; while (p) { if (p->pattern0 != prefix) { if (pchain) break; p = p->next; continue; } else pchain = 1; off = i - BM_MIN_LENGTH + BM_BLOCK_SIZE; bp = buffer + off; if ((off + p->length > length) \|\| (p->prefix_length > off)) { p = p->next; continue; } if (offdata) { if (p->offdata[0] == CLI_OFF_ABSOLUTE) { if (p->offset_min != offset + off - p->prefix_length) { p = p->next; continue; } } else if ((offdata->offset[p->offset_min] == CLI_OFF_NONE) \|\| (offdata->offset[p->offset_min] != offset + off - p->prefix_length)) { p = p->next; continue; } } idxchk = MIN(p->length, length - off) - 1; if (idxchk) { if ((bp[idxchk] != p->pattern[idxchk]) \|\| (bp[idxchk / 2] != p->pattern[idxchk / 2])) { p = p->next; continue; } } if (p->prefix_length) { off -= p->prefix_length; bp -= p->prefix_length; pt = p->prefix; } else { pt = p->pattern; } found = 1; for (j = 0; j < p->length + p->prefix_length && off < length; j++, off++) { if (bp[j] != pt[j]) { found = 0; break; } } if (found && (p->boundary & BM_BOUNDARY_EOL)) { if (off != length) { p = p->next; continue; } } if (found && p->length + p->prefix_length == j) { if (!offdata && (p->offset_min != CLI_OFF_ANY)) { if (p->offdata[0] != CLI_OFF_ABSOLUTE) { if (!info) { p = p->next; continue; } ret = cli_caloff(NULL, info, root->type, p->offdata, &off_min, &off_max); if (ret != CL_SUCCESS) { cli_errmsg("cli_bm_scanbuff: Can't calculate relative offset in signature for %s\n", p->virname); return ret; } } else { off_min = p->offset_min; off_max = p->offset_max; } off = offset + i - p->prefix_length - BM_MIN_LENGTH + BM_BLOCK_SIZE; if (off_min == CLI_OFF_NONE \|\| off_max < off \|\| off_min > off) { p = p->next; continue; } } if (virname) { virname = p->virname; if (ctx != NULL && SCAN_ALLMATCHES) { cli_append_virus(ctx, virname); //viroffset = offset + i + j - BM_MIN_LENGTH + BM_BLOCK_SIZE; } } if (patt) patt = p; viruses_found = 1; if (ctx != NULL && !SCAN_ALLMATCHES) return CL_VIRUS; } p = p->next; } shift = 1; } if (offdata) { off = offset + i - BM_MIN_LENGTH + BM_BLOCK_SIZE; for (; offdata->pos < offdata->cnt && off >= offdata->offtab[offdata->pos]; offdata->pos++) ; if (offdata->pos == offdata->cnt \|\| off >= offdata->offtab[offdata->pos]) { if (viruses_found) return CL_VIRUS; return CL_CLEAN; } i += offdata->offtab[offdata->pos] - off; } else { i += shift; }
8000d078	}
38dc186f	if (viruses_found)
72fd33c8	return CL_VIRUS;
841161e0	return CL_CLEAN;
8000d078	}