Skip to content

truncate

Intro

truncate - Change the size of a file to a specified length

Description

The truncate() system call causes the regular file referenced by path or referenced by the file descriptor fd to have a size of exactly length bytes.

If the file previously was larger than length, the extra data is discarded. If the file was previously shorter, it is extended, and the extended part reads as null bytes (‘\0’).

Arguments

  • path:const char*[U] - The path of the file to be truncated.
  • length:off_t[K] - The length of the file.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_truncate

Type

KPROBE

Purpose

sys_truncate is hooked to gather information about a regular file being truncated.

Example Use Case

Truncate can be used to reduce the size of a file, with the extra data being discarded if it is longer than the specified length.

Issues

If the length specified is longer than the actual size of the file, security issues may arise if the file is allocated and filled with data afterwards.

fchmodat, creat, ftruncate

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.