Skip to content

vfork

Intro

vfork - system call used to make a copy of the current process

Description

The vfork() system call is used by a program to create a copy (child process) of itself. The child process runs in the same address space as the parent process until it either calls execve() or exits. This allows for faster process creation since the child process inherits many of the attributes of the parent process. However, if neither execve() or exit() is called, a deadlock can occur when the parent process attempts to execute code before the child process has terminated.

The vfork() system call creates a child process that share the same memory space as the parent, but the parent process will not run until the child process either calls execve() or exits. This usage of memory allows for higher speed process creation, but can lead to problems if the child process does not call execve() or exit().

Arguments

  • pid: pid_t[K] - The pid of the child process created by the call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_vfork

Type

Kprobe

Purpose

Hook sys_vfork to track the pid of the child process and the return values of the call.

Example Use Case

vfork() is often used to create simple command-line programs or shell scripts. For example, man fork is executed by calling vfork() to create a new process and execute the man command in it.

Issues

The main issue regarding vfork() is the potential for deadlock, since the parent process can not continue executing until the child process calls exit() or execve(). Programs using vfork() should ensure that the child process does not run for too long or in an infinite loop.

  • fork() - A system call to create a new process that does not share memory with the parent process.
  • execve() - A system call to execute a new program in the child process created by vfork().
  • clone() - A system call to create a new process that shares the memory space of the parent process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.