[Xymon] Integer underflow in FILE mtime/ctime/atime check

Jeremy Laidman jeremy at laidman.org
Thu Aug 13 05:59:50 CEST 2020 

On Thu, 13 Aug 2020 at 13:18, Axel Beckert <abe at deuxchevaux.org> wrote:

> Hi,
>
> at least in Xymon 4.2.28 (plus recent CVE patches, i.e. as currently
> in Debian Stable) there is an issue with an integer underflow in the
> FILE mtime/ctime/atime check which basically seems to happen when
> finding the file to check takes a moment (seconds) and the file in
> question has been modified after the search for the file has been
> started.
>

Is it possible that the time on the host being monitored is in the future,
at least compared to the time of the Xymon server?

Can you provide the [clock] and [file:/nfs/...] sections of your client
data message for an instance when the underflow has occurred?

It's hard to see how a delay in the collection of file timestamps could
cause this underflow, as the creation of the [clock] section (the source of
"now") is executed after the creation of the [file:] section (the source of
the MTIME value). Essentially it's:

1. create tempfile
2. echo "client" header >> tempfile
3. run OS script >> tempfile
4. run "logfetch" to generate [file:] sections >> tempfile
5. echo client version section >> tempfile
6. run "logfetch --clock" to gelerate [clock] section >> tempfile
7. send tempfile to Xymon server

What you're describing is a situation where the time generated at step 4 is
ahead of the time generated at step 6. I think this can only happen if the
timestamp of the file is in the future.

However, If the [clock] section of the client message does not exist, the
the Xymon server will use its own time for its calculations.

In such cases this integer underflow happens and causes a falso
> positive due to instead of the time difference being negative, it's
> insanely huge:
>

No matter the cause, Xymon should take into account the possibility that
the timestamp is in the future, and at least show "was modified N seconds
into the future" or something similar, after handling or avoiding the
underflow.

Perhaps create the following entry in clientlocal.cfg:

file:`exec >/tmp/clock-test 2>&1; date; $XYMONHOME/bin/logfetch --clock ;
ls -l $(ls -1d /nf/2???/??/??/ | tail -1)* | tail -1;
$XYMONHOME/bin/logfetch --clock; date`

The output file /tmp/clock-test might give you some idea of what's going
on. Remember that it can take up to 10 minutes for updates to
clientlocal.cfg to take effect on the client.

Cheers
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20200813/238c9071/attachment.htm>

More information about the Xymon mailing list