Skip to content

process_vm_writev

Intro

process_vm_writev - transfer data between address spaces of different processes

Description

process_vm_writev() is a system call that allows for transfer of data between the address spaces of two different processes, the caller, and the target. The two processes are referred to as the "local" and the "remote" process. It does this by writing the contents of one or more iovec data structure entries from the local process to the same entries in a buffer belonging to the remote process. This transfer may either be a completely new set of data, or an update to previously written data. The general approach to using this system call is to use either the vm_writev() or the process_vm_writev()set the iovec data structures of the local process. Then, the contents of those iovec entries can be transfered to the target process by issuing the process_vm_writev() syscall, passing in its parameters the intended target process and the structures containing the data to be written.

Are there any edge-cases, drawbacks or advantages of using it?

A potential disadvantage is that the local process must have a full copy of the data ready to be written, which may involve a significant amount of time and effort for large amounts of data. Additionally, the remote process may not always have the relevant data to be updated or the memory protection for the target buffer may restrict a successful write.

Arguments

  • pid: pid_t[K] - pid of the target process
  • local_iov: const struct iovec*[K] - pointer to the iovec structure for the host process
  • liovcnt: unsigned long[K] - number of elements from the local iovec structure to be written
  • remote_iov: const struct iovec*[K] - pointer to the iovec structure for the target process
  • riovcnt: unsigned long[K] - number of elements from the remote iovec structure to be written
  • flags: unsigned long[K] - additional flags to be passed to the syscall

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

process_vm_writev

Type

Kprobe

Purpose

To record information about data written from the local process to the target process.

Example Use Case

One example use case for this system call is when a search engine needs to quickly update thousands of webpages across many different machines simultaneously. Rather than updating each page one at a time, the process_vm_writev syscall can be used to transfer the same data set to multiple machines, significantly reducing the time needed to update all the pages.

Issues

No major issues have been found with this system call.

  • readv: The readv system call is similar to process_vm_writev in that it allows for data transfer between two process, however readv only allows for reading data from the remote process.
  • mmap: During a successful process_vm_writev call, the contents of the data structures from the remote process can be mapped into the address space of the local process. This allows for more efficient data transfer between the two processes.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.