Skip to content

getitimer

Intro

getitimer - retrieves the current value of an interval timer

Description

The getitimer function is used to retrieve the current value of an interval timer. The interval timer must have been set previously with the setitimer function.

If the value curr_value is non-NULL, the getitimer function fills out the structure pointed to by curr_value with the current value of the timer.

The which argument must be one of the flags, ITIMER_REAL, ITIMER_VIRTUAL or ITIMER_PROF.

The main advantage of using the getitimer syscall is to retrieve the current value of an interval timer previously set with the setitimer syscall. A potential drawback is that the curr_value argument must be initialized before calling this syscall, and must point to valid memory.

Arguments

  • which:int[K] - the timer to retrieve, must be one of ITIMER_REAL, ITIMER_VIRTUAL or ITIMER_PROF.
  • curr_value:struct itimerval*[KU] - pointer to the structure that will contain the retrieved current value.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_getitimer

Type

Kprobes

Purpose

To track the usage and parameters of the getitimer syscall.

Example Use Case

The getitimer syscall can be used by an application to retrieve the current value of an interval timer previously set with the setitimer syscall. This allows an application to accurately keep track of how much time has elapsed until the next interrupts.

Issues

None.

setitimer

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.