llseek¶
Intro¶
llseek - used to change the file position of a file descriptor
Description¶
llseek is a system call used for setting the file pointer of the open file descriptor to a specified offset. It is useful for accessing random locations of a file instead of sequentially. When using this syscall, the offset specified is a 64-bit unsigned long number which is divided into two parts, the 'offset high' and 'offset low' parts. The 'whence` parameter is used to determine the location in the file from which the offset is determined. The resulting file position is stored in the user-supplied 'result' argument which is an loff_t pointer.
There are some important drawbacks when using llseek. Firstly, the whence argument is not atomic, so if the file position is changed by another process during the call, the call will become invalid. Secondly, the offsets specified with this call do not exceed the maximum offset available when using 32 bit systems. This can be a problem when trying to access the very end of a large file. Lastly, since the loff_t pointer is user-supplied, it is vulnerable to TOCTOU (time of check, time of use) and to being incorrectly passed as an argument.
Arguments¶
fd
:unsigned int
[K] - The file descriptor associated with the file which the user wants to change the position of.offset_high
:unsigned long
[U] - The high part of the 64-bit offset which the user wishes to set the file position to.offset_low
:unsigned long
[U] - The low part of the 64-bit offset which the user wishes to set the file position to.result
:loff_t*
[K] - The pointer to the user-supplied variable which will hold the resulting file position after llseek is called.whence
:unsigned int
[U] - Integer which determines the location from which the offset is determined, as specified in the linux manual page for llseek.
Available Tags¶
K - Originated from kernel-space. U - Originated from user space (for example, pointer to user space memory used to get it) TOCTOU - Vulnerable to TOCTOU (time of check, time of use) OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_llseek¶
Type¶
Kprobe
Purpose¶
This function is hooked to allow tracing of the llseek syscall.
Example Use Case¶
The llseek syscall could be used in a program which needed to access portions of a file randomly without reading the entire file.
Issues¶
Since the loff_t pointer is user-supplied and not checked to the kernel, the pointer is vulnerable to TOCTOU and incorrect arguments.
Related Syscalls¶
- lseek - used to set the file position of a file descriptor without needing to pass two arguments for the offset.
- pread - used to read from a specific offset in a file without needing to set the file pointer manually.
- pwrite - used to write from a specific offset in a file without needing to set the file pointer manually.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.