Skip to content

mprotect

Intro

mprotect - Change protection on a region of memory

Description

The mprotect() system call is used to change the protection of a region of memory. This system call is useful for preventing malicious code from writing to a region of memory. It can also be used to manually allocate and/or deallocate memory for an application.

The mprotect() system call modifies the page protection bits of any valid mapped pages in the address range starting at addr and continuing for len bytes. If a page is not valid or not mapped, or if it is locked, then it will not be modified by mprotect(). If a page is in read-only mode, then it cannot be set writable by mprotect(), as long as the page is still mapped.

The prot argument must include either PROT_READ or PROT_WRITE or both, as well as any of the other flags (they are all cumulative).

Arguments

  • addr:void*[K] - Start address
  • len:size_t[K] - Length in bytes
  • prot:int[K] - Protection flags (PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM and PROT_NONE are provided)

Available Tags

  • K - Originated from kernel-space
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_mprotect

Type

Kprobe

Purpose

Monitor access to memory and enforce memory protections

Example Use Case

The mprotect() syscall can be used to enforce memory protections on a region of memory. This can be useful for detecting and preventing malicious code from writing to a region of memory. It can also be used to manually allocate and/or deallocate memory for an application.

Issues

Currently, mprotect() does not check permissions when PROT_READ or PROT_EXEC is specified. This can lead to security vulnerabilities if an attacker is able to control a pointer that is passed to mprotect().

  • mmap - Map pages of memory
  • munmap - Unmap pages of memory

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.