Skip to content

Futex

Intro

Futex - a syscall to facilitate fast user-space locking.

Description

The futex() system call provides a method for a program to wait until a certain condition becomes true, or to signal that a certain condition has become true. The program specifies a pointer to the memory address (uaddr) in which it saves the condition, a value (val) which indicates the condition, and a timeout (timeout) after which the wait returns automatically. Additionally, a set of operations (futex_op) can be specified which act on the condition represented by uaddr.

The futex() system call is useful for coordinating access to shared data structures between multiple processes, as the operations it provides can be used to create simple mutexes. It is typically used by higher-level libraries like POSIX Threads, which allows for the use of pthread_mutex_lock() and related functions to control access to shared memory.

Arguments

  • uaddr:int*[K, TOCTOU] - A pointer to the memory address in which the caller saves the condition. If a valid pointer is passed, the system call will inspect and modify the value this pointer points to.
  • futex_op:int[K] - A set of flags which control the operation that should be performed on the wait queue.
  • val:int[K] - An integral value which represents the condition. This will be compared to the value pointed to by uaddr on each operation.
  • timeout: const struct timespec*[K] - A pointer to a struct timespec that indicates the timeout after which the wait returns automatically. If the pointer passed is a NULL pointer, the wait does not time out.
  • uaddr2:int*[K, TOCTOU] - A pointer to a second memory address with a second condition.
  • val3:int[K] - The second condition value. This will be compared to the value pointed to by uaddr2 on each operation.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_futex

Type

Kprobes + Jprobes

Purpose

To allow deeper analysis of the system call, including arguments and its return value.

Example Use Case

The futex() system call is used to create simple user-space locks that can be used to coordinate access to shared resources in a multi-process environment.

Issues

  • The values of both uaddr and uaddr2 arguments are vulnerable to TOCTOU attacks, which may allow an attacker to bypass the lock and gain access to a shared resource.
  • If the timeout is set too short, requests might not be able to complete in time and the application might deadlock.

futex_wait, futex_wake, futextime64, futextime64_wait, futex_wake_op, futex_wake_op_pi, futex_lock_pi, futex_unlock_pi

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.