mmap¶
Intro¶
mmap - map a region of memory in a process address space
Description¶
The mmap() system call maps a region of memory in a process address space. It
can be used to share a region of memory between processes, or to map a region of
a file or device into a process's address space. The flags parameter is a
bitwise combination of various options that control the mapping of a region of
memory. The prot parameter is the protection level of the region. The fd
parameter, if set, specifies the file descriptor of a regular file or device
that is mapped into the calling process address space. The off parameter
specifies the offset from the start of the file, if file-associated memory is
being mapped.
The mmap() system call is useful for allocating a fixed-size region of
memory for use in a larger system. It can be used for applications such as
kernel code, device drivers, shared libraries, or for any other region of
memory that needs to be allocated.
Arguments¶
addr:void*[K] - a pointer to the memory location where the mapping will begin. If this value is NULL, page-aligned memory will be allocated and used.length:size_t[K] - the size of the mapping in bytes.prot:int[K] - the protection flags for the mapping; a combination ofPROT_READ,PROT_WRITEandPROT_EXEC.flags:int[K] - the flags for the mapping; a combination ofMAP_SHAREDorMAP_PRIVATE, and other flags to define the access.fd:int[K] - the file descriptor of a regular file or device that is mapped into the calling process address space. If this parameter is -1, no file is mapped.off:off_t[K] - the offset from the start of the file, if file-associated memory is being mapped.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
do_mmap_pgoff¶
Type¶
Kprobe
Purpose¶
To monitor mmap system calls from user space.
sys_mmap¶
Type¶
Kretprobe
Purpose¶
To monitor the return value of mmap system calls from the kernel.
Example Use Case¶
A typical use of the mmap() system call is to map a file into memory and then access it directly. This allows applications to read and write the file, without having to use the slow I/O operations, as the data is in memory. This is especially useful for applications that need to read a large file quickly, but don't need to write it.
Issues¶
To use mmap(), the process must have sufficient memory available to map the file. If not, the mmap() call will return a memory allocation error and the file will not be mapped.
Related Events¶
munmap()- to unmap previously mapped memory regions.mremap()- to remap memory regions.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.