Skip to content



vmsplice - read data from a pipe into a user address space


The vmsplice() system call transfers a count of up to nr_segs elements from a user address space, into the specified pipe. Any type of pipe can be used, including anonymous pipes (created using the pipe() system call) and directed pipes created using the openat() system call with the O_PATH flag. The flags argument can be set to VMSPLICE_F_MOVE, to transfer ownership of the pages containing the iovec elements. The iov argument points to an array of iovec structures, each consisting of a pointer to a location in the user address space iov_base, and its length iov_len.

Vmsplice does not check for the validity of the memory area, nor for its read access rights. Passing of invalid addresses (such as kernel space addresses) can corrupt the system.


  • fd:int[K] - file descriptor of pipe.
  • iov:const struct iovec*[K] - pointer to a user space buffer containing the iovec elements to copy into the pipe.
  • nr_segs:unsigned long[K] - number of elements in iov.
  • flags:unsigned int[K] - indicate the type of action available with the iov buffer. Can be set to VMSPLICE_F_MOVE, to transfer ownership of the pages containing the iov elements.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobes + kretprobes


Monitor process activity in terms of manipulating pipes

Example Use Case

One example use case of vmsplice() could be an application that copies data from the user's shared memory space to a pipe, which will then be read by another application. This method of inter-process communication is efficient and helps to ensure data integrity.


The vmsplice() system call is vulnerable to TOCTOU (Time of Check, Time of Use) attacks. This is because the memory passed to it is not checked for validity or for read access rights. Passing kernel space addresses to it could corrupt the system.

The splice system call can be used to send data from one pipe to another pipe, and can be combined with vmsplice() to pass data from user space memory to a pipe. The sendfile() system call can also be used to pass the contents of a file to a socket or pipe.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.