Skip to content

clock_gettime32

Intro

clock_gettime32 - get the time of a specific clock, with a 32-bit version of struct timespec

Description

clock_gettime32 is a Linux system call that retrieves the current time of the clock specified in the argument which_clock. The time is returned in struct old_timespec32 pointed to by the argument tp. This version of the call is for 32-bit applications using an old version of struct timespec.

The call can be subject to races if the time is retrieved between the check, at which point the output is known, and the use, at which point there are no guarantees the output is still valid. It's related to the time-of-check-time-of-use (TOCTOU) vulnerability, and it can be mitigated by applying locks or other synchronization techniques.

Arguments

  • which_clock:clockid_t - The identifier of the clock whose time is requested.
  • tp:struct old_timespec32*[U] - Pointer to a buffer in user-space that is used to return the current time.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_clock_gettime

Type

Kprobe

Purpose

To log the system calls for clock_gettime and clock_gettime32 at the entry point of syscall sys_clock_gettime.

Example Use Case

clock_gettime32's usage requires a clockid_t and a pointer to an old timespec structure. It can be used to get the current time of the requested clock, and then store and compare it in the future.

Issues

Since clock_gettime32 is vulnerable to TOCTOU, care should be taken that the returned time might be stale by the time it is used. This can be mitigated by applying locks or other synchronization techniques.

  • clock_nanosleep - Suspend the execution of the current thread until the time pointed by tp.
  • timerfd_gettime - Retrieve the current expiry time of the timer associated with the timerfd.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.