Skip to content



msgctl - manipulate message queue control operations on System V message queues


The msgctl system call is used to manipulate message queue control operations on System V message queues. Depending on the command, it can be used to set or get the attributes associated with a message queue, change ownership of the queue, or remove the queue entirely.

The command argument specifies the requested control action: * IPC_STAT to fetch the msqid_ds structure, which contains various status and control information about the queue itself; * IPC_SET to set some of the members of the msqid_ds structure; * IPC_RMID to remove the data structure associated with the message queue and destroy the queue.

The msgctl system call can suffer from certain time-of-check-to-time-of-use (TOCTOU) vulnerabilitites.


  • msqid:int[K] - the identifier of the message queue to be operated on.
  • cmd:int[K] - the operation to be performed on the message queue. Supported commands are IPC_RMID, IPC_STAT, and IPC_SET, as defined in .
  • buf:struct msqid_ds*[KU TOCTOU] - the address of a msqid_ds structure, which is used depending on the command.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)






To monitor the arguments and the return value of the msgctl system call.

Example Use Case

The msgctl system call can be used to monitor message queues, as well as to detect suspicious activity. For example, it could be used to detect if a queue is constantly being modified or if a malicious process is trying to modify a queue without authorization.


The msgctl system call is vulnerable to TOCTOU vulnerabilities, as the system call may validate one argument when entering the kernel and a different argument when actually executing the command.

  • msgget
  • msgsnd
  • msgrcv

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.