--- a/clamd/clamd.c +++ a/clamd/clamd.c @@ -431,6 +431,9 @@ int main(int argc, char **argv) if((opt = optget(opts,"BytecodeTimeout"))->enabled) { cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); } + if((opt = optget(opts,"BytecodeDisableJIT"))->enabled) { + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); + } if(optget(opts,"PhishingScanURLs")->enabled) dboptions |= CL_DB_PHISHING_URLS; --- a/clamscan/manager.c +++ a/clamscan/manager.c @@ -405,6 +405,8 @@ int scanmanager(const struct optstruct *opts) cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL); if((opt = optget(opts,"bytecode-timeout"))->enabled) cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); + if((opt = optget(opts,"bytecode-disable-jit"))->enabled) + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); if((opt = optget(opts, "tempdir"))->enabled) { if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) { --- a/docs/man/clamd.conf.5.in +++ a/docs/man/clamd.conf.5.in @@ -253,6 +253,12 @@ Default: TrustSigned Set bytecode timeout in milliseconds. .br Default: 60000 +.TP +\fBBytecodeDisableJIT BOOL\fR +Disable the JIT and fallback to interpreter mode. +WARNING: disabling the JIT affects performance! +.br +Default: No .TP \fBDetectPUA BOOL\fR Detect Possibly Unwanted Applications. --- a/docs/man/clamscan.1.in +++ a/docs/man/clamscan.1.in @@ -86,6 +86,10 @@ This option disables safety checks and makes ClamAV trust all bytecode. It shoul .TP \fB\-\-bytecode\-timeout=N\fR Set bytecode timeout in milliseconds (default: 60000 = 60s) +.TP +\fB\-\-bytecode\-disable\-jit\fR +Disable the JIT and fallback to interpreter mode. +WARNING: disable the JIT affects performance! .TP \fB\-\-detect\-pua[=yes/no(*)]\fR Detect Possibly Unwanted Applications. --- a/etc/clamd.conf +++ a/etc/clamd.conf @@ -474,3 +474,8 @@ Example # # Default: 60000 # BytecodeTimeout 60000 + +# Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. +# +# Default: no +#BytecodeDisableJIT no --- a/libclamav/clamav.h +++ a/libclamav/clamav.h @@ -142,7 +142,8 @@ enum cl_engine_field { CL_ENGINE_TMPDIR, /* (char *) */ CL_ENGINE_KEEPTMP, /* uint32_t */ CL_ENGINE_BYTECODE_SECURITY, /* uint32_t */ - CL_ENGINE_BYTECODE_TIMEOUT /* uint32_t */ + CL_ENGINE_BYTECODE_TIMEOUT, /* uint32_t */ + CL_ENGINE_BYTECODE_DISABLEJIT /* uint32_t */ }; enum bytecode_security { --- a/libclamav/others.c +++ a/libclamav/others.c @@ -301,6 +301,7 @@ struct cl_engine *cl_engine_new(void) new->bytecode_security = CL_BYTECODE_TRUST_SIGNED; /* 5 seconds timeout */ new->bytecode_timeout = 60000; + new->disablejit = 0; new->refcount = 1; new->ac_only = 0; new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH; @@ -395,6 +396,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long case CL_ENGINE_BYTECODE_TIMEOUT: engine->bytecode_timeout = num; break; + case CL_ENGINE_BYTECODE_DISABLEJIT: + engine->disablejit = num; + break; default: cli_errmsg("cl_engine_set_num: Incorrect field number\n"); return CL_EARG; --- a/libclamav/others.h +++ a/libclamav/others.h @@ -249,6 +249,7 @@ struct cl_engine { unsigned hook_lsig_ids; enum bytecode_security bytecode_security; uint32_t bytecode_timeout; + unsigned disablejit; }; struct cl_settings { --- a/libclamav/readdb.c +++ a/libclamav/readdb.c @@ -2566,7 +2566,10 @@ int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, uns return ret; if((dboptions & CL_DB_BYTECODE) && !engine->bcs.engine && (engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) { - if((ret = cli_bytecode_init(&engine->bcs, engine->dconf->bytecode))) + unsigned dconfmask = engine->dconf->bytecode; + if (engine->disablejit) + dconfmask &= BYTECODE_INTERPRETER; + if((ret = cli_bytecode_init(&engine->bcs, dconfmask))) return ret; } else { cli_dbgmsg("Bytecode engine disabled\n"); --- a/shared/optparser.c +++ a/shared/optparser.c @@ -252,6 +252,9 @@ const struct clam_option __clam_options[] = { "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Set bytecode timeout in miliseconds.\n","60000"}, + { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" },