One of the recent bytecode signatures:
LibClamAV debug: Bytecode 0001444645.cbc(38) has logical signature:
BC.Exploit.CVE_2012_0165.{CVE_2012_0165};Engine:56-255,Target:0;0;0:01000000{36}20454d46
ends up calling the abort function defined in byte2code2llvm.cpp:
.Case("abort", (void*)(intptr_t)jit_exception_handler)
on certain input data.
jit_exception_handler calls longjmp, which tries to unwind the stack
using RtlUnwindEx. However, the JIT'd code generated by LLVM hasn't
generated the unwind information which RtlUnwindEx requires, so this
fails. From what I could figure out the JIT generator needs to call
RtlAddFunctionTable and ensure that function prolog/epilog is of the
appropriate form to make longjmp work. (I started poking this, but I
didn't get very far as I'm not very familiar with LLVM and have very
limited time to work on this).
I do have input that will reliably trigger this, however it's somebody's
mail so unfortunately I can't share it -- just calling abort from some
bytecode would be enough to reproduce this though.
(I would have put this in bugzilla but it doesn't seem to be sending the
confirmation mail required to create an account which is required to add
a bug).
Thanks,
Mark
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
