Bug 10971 – can't scan a files larger than available physical memory.

Bug 10971 - can't scan a files larger than available physical memory.


Summary:	can't scan a files larger than available physical memory.

Status:	ASSIGNED

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	stable
Hardware:	All GNU/Linux

Importance:	P3 normal
Target Milestone:	feature_request
Assigned To:	Mickey Sola

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-04-10 17:35 EDT by Sebastian A. Siewior
Modified:	2018-06-09 08:58 EDT (History)
CC List:	7 users (show)

See Also:
QA Contact:

Attachments
RFC patch for the problem. (5.21 KB, patch) 2014-04-10 17:35 EDT, Sebastian A. Siewior	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian A. Siewior 2014-04-10 17:35:26 EDT

Created attachment 6606 [details]
RFC patch for the problem.

There is a bug reported [0] where the user can't scan a file because it is larger than the physical available memory on this computer.

On unix platform the fmap_check_empty() function maps the complete file
by allocating the memory via mmap() with the write flag on. On systems
with not a lot of memory it means that a file can't be scanned. For
instance a 1GiB file on a system with 512MiB of memory.
This patch changes the behaviour to what we have on win32:
- the malloc() cl_fmap_t structure
- mmap() the file as RO only. Since it content is backed by file on disk
  we mmap() any file as long as our virtual memory space is large
  enough. That means this will fail on 32bit architectures which try
  scan a file which is ~2.8GiB. This failed before as well but now we
  aleast not limited by our physical memory.

This is my proposal. I tested it on x86-64 with 512MiB of RAM with 1.5GiB file 
via clamscan. I wanted some feedback before spending more time on this.

We still have the problem on 32bit Platforms for files >3GiB. It would help to 
allocate only small chunks (say 4MiB) of the file instead of everything. Then if 
other pieces of the file are required it could get re-mapped(). Just a though.

[0] https://bugs.debian.org/740059

Sebastian

Comment 1 Steven Morgan 2014-04-11 15:11:41 EDT

Thanks for sending a patch, scheduled to evaluate for upcoming release.

Comment 2 Scott Kitterman 2014-07-07 00:18:17 EDT

Could this be included in 0.98.5?

Comment 3 Sebastian A. Siewior 2015-05-05 15:20:21 EDT

any ETA for 0.99? Something like this summer, Xmas, next year ?

Comment 4 Loïc 2015-06-18 10:51:45 EDT

I am interested by this issue too, we are running clamav on VMs which don't always have enough memory to scan large files with the whole file in memory.

Maybe a partial scan could be possible ?

Best regards
Loïc

Comment 5 Steven Morgan 2016-05-27 12:06:06 EDT

For review and comment by Mickey. Targeting 0.99.3.

Comment 6 Mickey Sola 2016-06-08 17:19:55 EDT

We like the idea and effort here, but the current implementation breaks our valgrind unit tests when testing bytecode functionality. Additionally, the general use-case for this isn't entirely clear and changing such a crucial piece of the library may have serious implications and needs heavy regression testing. 

As things stand, if we move forward with this patch it will likely be as a configuration option specifically intended for scanning in low physical memory environments.

Comment 7 Steven Morgan 2017-08-23 18:11:30 EDT

Sorry, we are going to have to look at doing this another way based on comment 6. I will move this to the feature request queue.

Comment 8 elatllat 2018-06-09 08:58:24 EDT

Maybe we could start with a graceful failure by replacing the current output

LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed

with a message conforming to the current FOUND format  

/path/to/file: file larger than available memory NOTSCANNED