@@ -1,3 +1,9 @@

+Mon Sep 19 01:15:02 CEST 2005 (tk)

+----------------------------------

+  * libclamav/elf.c: add cli_elfheader()

+  * libclamav/execs.h: new file

+  * libclamav/matcher.c: support ELF files in cli_caloff()

+

 Fri Sep 16 16:49:14 CEST 2005 (tk)

 ----------------------------------

   * libclamav/upx.c: fix possible buffer overflow (acab)

@@ -142,7 +142,8 @@ libclamav_la_SOURCES = \

 	spin.c \

 	spin.h \

 	elf.c \

-	elf.h

+	elf.h \

+	execs.h

 lib_LTLIBRARIES = libclamav.la

@@ -32,6 +32,7 @@

 #include "cltypes.h"

 #include "elf.h"

 #include "clamav.h"

+#include "execs.h"

 #define DETECT_BROKEN		    (options & CL_SCAN_BLOCKBROKEN)

@@ -61,7 +62,7 @@ int cli_scanelf(int desc, const char **virname, long int *scanned, const struct

 	uint32_t entry, shoff, image;

 	int i;

-    cli_dbgmsg("in cli_elfheader\n");

+    cli_dbgmsg("in cli_scanelf\n");

     if(read(desc, &file_hdr, sizeof(file_hdr)) != sizeof(file_hdr)) {

 	/* Not an ELF file? */

@@ -75,7 +76,7 @@ int cli_scanelf(int desc, const char **virname, long int *scanned, const struct

     }

     if(file_hdr.e_ident[4] != 1) {

-	cli_dbgmsg("ELF: 64-bit binaries not supported\n");

+	cli_dbgmsg("ELF: 64-bit binaries are not supported (yet)\n");

 	return CL_CLEAN;

     }

@@ -180,7 +181,7 @@ int cli_scanelf(int desc, const char **virname, long int *scanned, const struct

     shentsize = EC16(file_hdr.e_shentsize);

     if(shentsize != sizeof(struct elf_section_hdr32)) {

-	cli_errmsg("ELF: shentsize != sizeof(struct elf_section_hdr32)\n");

+	cli_dbgmsg("ELF: shentsize != sizeof(struct elf_section_hdr32)\n");

         if(DETECT_BROKEN) {

 	    if(virname)

             *virname = "Broken.Executable";

@@ -225,6 +226,7 @@ int cli_scanelf(int desc, const char **virname, long int *scanned, const struct

 	cli_dbgmsg("ELF: Section %d\n", i);

 	cli_dbgmsg("ELF: Section offset: %d\n", EC32(section_hdr[i].sh_offset));

+	cli_dbgmsg("ELF: Section size: %d\n", EC32(section_hdr[i].sh_size));

 	switch(EC32(section_hdr[i].sh_type)) {

 	    case 0x6: /* SHT_DYNAMIC */

@@ -297,3 +299,91 @@ int cli_scanelf(int desc, const char **virname, long int *scanned, const struct

     free(section_hdr);

     return CL_CLEAN;

 }

+

+int cli_elfheader(int desc, struct cli_exe_info *elfinfo)

+{

+	struct elf_file_hdr32 file_hdr;

+	struct elf_section_hdr32 *section_hdr;

+	uint16_t shnum, shentsize;

+	uint32_t entry, shoff, image;

+	int i;

+

+    cli_dbgmsg("in cli_elfheader\n");

+

+    if(read(desc, &file_hdr, sizeof(file_hdr)) != sizeof(file_hdr)) {

+	/* Not an ELF file? */

+	cli_dbgmsg("ELF: Can't read file header\n");

+	return -1;

+    }

+

+    if(memcmp(file_hdr.e_ident, "\x7f\x45\x4c\x46", 4)) {

+	cli_dbgmsg("ELF: Not an ELF file\n");

+	return -1;

+    }

+

+    if(file_hdr.e_ident[4] != 1) {

+	cli_dbgmsg("ELF: 64-bit binaries are not supported (yet)\n");

+	return -1;

+    }

+

+    if(file_hdr.e_ident[5] == 1) {

+	image =  0x8048000;

+#if WORDS_BIGENDIAN == 1

+	need_conversion = 1;

+#endif

+    } else {

+	image =  0x10000;

+#if WORDS_BIGENDIAN == 0

+	need_conversion = 1;

+#endif

+    }

+

+    entry = EC32(file_hdr.e_entry);

+

+    shnum = EC16(file_hdr.e_shnum);

+    if(shnum > 256) {

+	cli_dbgmsg("ELF: Suspicious number of sections\n");

+	return -1;

+    }

+    elfinfo->nsections = shnum;

+

+    shentsize = EC16(file_hdr.e_shentsize);

+    if(shentsize != sizeof(struct elf_section_hdr32)) {

+	cli_dbgmsg("ELF: shentsize != sizeof(struct elf_section_hdr32)\n");

+	return -1;

+    }

+

+    shoff = EC32(file_hdr.e_shoff);

+    if(lseek(desc, shoff, SEEK_SET) != shoff) {

+	/* Possibly broken end of file */

+	return -1;

+    }

+

+    elfinfo->section = (struct cli_exe_section *) cli_calloc(elfinfo->nsections, sizeof(struct cli_exe_section));

+    if(!elfinfo->section) {

+	cli_dbgmsg("ELF: Can't allocate memory for section headers\n");

+	return -1;

+    }

+

+    section_hdr = (struct elf_section_hdr32 *) cli_calloc(shnum, shentsize);

+    if(!section_hdr) {

+	cli_errmsg("ELF: Can't allocate memory for section headers\n");

+	return -1;

+    }

+

+    for(i = 0; i < shnum; i++) {

+

+	if(read(desc, &section_hdr[i], sizeof(struct elf_section_hdr32)) != sizeof(struct elf_section_hdr32)) {

+            free(section_hdr);

+	    free(elfinfo->section);

+            return -1;

+        }

+

+	elfinfo->section[i].rva = EC32(section_hdr[i].sh_addr);

+	elfinfo->section[i].raw = EC32(section_hdr[i].sh_offset);

+	elfinfo->section[i].rsz = EC32(section_hdr[i].sh_size);

+    }

+

+    free(section_hdr);

+    return 0;

+}

@@ -24,6 +24,7 @@

 #include "cltypes.h"

 #include "clamav.h"

+#include "execs.h"

 struct elf_file_hdr32 {

     unsigned char e_ident[16];

@@ -57,4 +58,6 @@ struct elf_section_hdr32 {

 int cli_scanelf(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec);

+int cli_elfheader(int desc, struct cli_exe_info *elfinfo);

+

 #endif

new file mode 100644

@@ -0,0 +1,37 @@

+/*

+ *  Copyright (C) 2005 Tomasz Kojm <tkojm@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#ifndef __EXECS_H

+#define __EXECS_H

+

+#include "cltypes.h"

+

+struct cli_exe_section {

+    uint32_t rva;

+    uint32_t vsz;

+    uint32_t raw;

+    uint32_t rsz;

+};

+

+struct cli_exe_info {

+    uint32_t ep;

+    uint16_t nsections;

+    struct cli_exe_section *section;

+};

+

+#endif

@@ -34,12 +34,14 @@

 #include "filetypes.h"

 #include "matcher.h"

 #include "pe.h"

+#include "elf.h"

+#include "execs.h"

 #include "special.h"

 #define MD5_BLOCKSIZE 4096

-#define TARGET_TABLE_SIZE 6

-static int targettab[TARGET_TABLE_SIZE] = { 0, CL_TYPE_MSEXE, CL_TYPE_MSOLE2, CL_TYPE_HTML, CL_TYPE_MAIL, CL_TYPE_GRAPHICS };

+#define TARGET_TABLE_SIZE 7

+static int targettab[TARGET_TABLE_SIZE] = { 0, CL_TYPE_MSEXE, CL_TYPE_MSOLE2, CL_TYPE_HTML, CL_TYPE_MAIL, CL_TYPE_GRAPHICS, CL_TYPE_ELF };

 extern short cli_debug_flag;

@@ -96,40 +98,47 @@ static struct cli_md5_node *cli_vermd5(const unsigned char *md5, const struct cl

     return NULL;

 }

-static long int cli_caloff(const char *offstr, int fd)

+static long int cli_caloff(const char *offstr, int fd, unsigned short ftype)

 {

-	struct cli_pe_info peinfo;

+	struct cli_exe_info exeinfo;

+	int (*einfo)(int, struct cli_exe_info *) = NULL;

 	long int offset = -1;

 	int n;

+    if(ftype == CL_TYPE_MSEXE)

+	einfo = cli_peheader;

+    else if(ftype == CL_TYPE_ELF)

+	einfo = cli_elfheader;

+

     if(isdigit(offstr[0])) {

 	return atoi(offstr);

-    } if(!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3)) {

+

+    } else if(einfo && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) {

 	if((n = lseek(fd, 0, SEEK_CUR)) == -1) {

 	    cli_dbgmsg("Invalid descriptor\n");

 	    return -1;

 	}

 	lseek(fd, 0, SEEK_SET);

-	if(cli_peheader(fd, &peinfo)) {

+	if(einfo(fd, &exeinfo)) {

 	    lseek(fd, n, SEEK_SET);

 	    return -1;

 	}

-	free(peinfo.section);

+	free(exeinfo.section);

 	lseek(fd, n, SEEK_SET);

 	if(offstr[2] == '+')

-	    return peinfo.ep + atoi(offstr + 3);

+	    return exeinfo.ep + atoi(offstr + 3);

 	else

-	    return peinfo.ep - atoi(offstr + 3);

+	    return exeinfo.ep - atoi(offstr + 3);

-    } else if(offstr[0] == 'S') {

+    } else if(einfo && offstr[0] == 'S') {

 	if((n = lseek(fd, 0, SEEK_CUR)) == -1) {

 	    cli_dbgmsg("Invalid descriptor\n");

 	    return -1;

 	}

 	lseek(fd, 0, SEEK_SET);

-	if(cli_peheader(fd, &peinfo)) {

+	if(einfo(fd, &exeinfo)) {

 	    lseek(fd, n, SEEK_SET);

 	    return -1;

 	}

@@ -138,28 +147,28 @@ static long int cli_caloff(const char *offstr, int fd)

 	if(!strncmp(offstr, "SL", 2)) {

 	    if(sscanf(offstr, "SL+%ld", &offset) != 1) {

-		free(peinfo.section);

+		free(exeinfo.section);

 		return -1;

 	    }

-	    offset += peinfo.section[peinfo.nsections - 1].raw;

+	    offset += exeinfo.section[exeinfo.nsections - 1].raw;

 	} else {

 	    if(sscanf(offstr, "S%d+%ld", &n, &offset) != 2) {

-		free(peinfo.section);

+		free(exeinfo.section);

 		return -1;

 	    }

-	    if(n >= peinfo.nsections) {

-		free(peinfo.section);

+	    if(n >= exeinfo.nsections) {

+		free(exeinfo.section);

 		return -1;

 	    }

-	    offset += peinfo.section[n].raw;

+	    offset += exeinfo.section[n].raw;

 	}

-	free(peinfo.section);

+	free(exeinfo.section);

 	return offset;

     } else if(!strncmp(offstr, "EOF-", 4)) {

@@ -226,7 +235,7 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off

     }

     if(offstr && desc != -1) {

-	    long int off = cli_caloff(offstr, desc);

+	    long int off = cli_caloff(offstr, desc, ftype);

 	if(off == -1) {

 	    cli_dbgmsg("Bad offset in signature (%s)\n", virname);

@@ -42,6 +42,7 @@

 #include "scanners.h"

 #include "rebuildpe.h"

 #include "str.h"

+#include "execs.h"

 #define IMAGE_DOS_SIGNATURE	    0x5a4d	    /* MZ */

 #define IMAGE_DOS_SIGNATURE_OLD	    0x4d5a          /* ZM */

@@ -1479,7 +1480,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

     return CL_CLEAN;

 }

-int cli_peheader(int desc, struct cli_pe_info *peinfo)

+int cli_peheader(int desc, struct cli_exe_info *peinfo)

 {

 	uint16_t e_magic; /* DOS signature ("MZ") */

 	uint32_t e_lfanew; /* address of new exe header */

@@ -1547,7 +1548,7 @@ int cli_peheader(int desc, struct cli_pe_info *peinfo)

 	return -1;

     }

-    peinfo->section = (struct SECTION *) cli_calloc(peinfo->nsections, sizeof(struct SECTION));

+    peinfo->section = (struct cli_exe_section *) cli_calloc(peinfo->nsections, sizeof(struct cli_exe_section));

     if(!peinfo->section) {

 	cli_dbgmsg("Can't allocate memory for section headers\n");

@@ -23,7 +23,7 @@

 #define __PE_H

 #include "clamav.h"

-#include "rebuildpe.h"

+#include "execs.h"

 struct pe_image_file_hdr {

     uint32_t Magic;

@@ -94,14 +94,8 @@ struct pe_image_section_hdr {

     uint32_t Characteristics;

 };

-struct cli_pe_info {

-    uint32_t ep; /* raw entry point */

-    uint16_t nsections;

-    struct SECTION *section;

-};

-

 int cli_scanpe(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec);

-int cli_peheader(int desc, struct cli_pe_info *peinfo);

+int cli_peheader(int desc, struct cli_exe_info *peinfo);

 #endif