stat64¶

Intro¶

stat64 - Get the status information of a file

Description¶

The stat64() system call gets the status information of the file pointed to by pathname, and returns it in the statbuf structure, which includes information like file type, size, inode, etc. The statbuf structure needs to be allocated by the caller, as it will be filled in by the kernel.

The stat64() system call is vulnerable to Time-of-Check Time-of-Use (TOCTOU) race conditions, as the statbuf argument contains the pointer to the status information of the file; if the file is changed between the checks, the information that is returned by stat64() could be wrong.

Arguments¶

pathname:const char*[U] - Path to the file to be stat'ed
statbuf:struct stat64*[U] - Pointer to struct stat64 in user-space, that will be filled in by the kernel.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

sys_stat64¶

Type¶

Kprobe

Purpose¶

Observe where the stat64() system call is used in the kernel.

Example Use Case¶

The stat64() system call can be used to get the status information of a file before executing it to check for permission, etc.

Issues¶

The stat64() system call is vulnerable to TOCTOU race conditions, where the statbuf argument contains the pointer to the status information of the file; if the file is changed between the checks, the information that is returned by stat64() could be wrong.

open64: Related as it is needed before executing a file to open it and get its information.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.