madvise - Allows potentially optimization advice about the memory in the specified address range.
The madvise() system call provides advice about the use of memory addresses in the specified range. This range is defined by the starting address pointer addr and length. The advice is specified by the advice argument in the form of a value defined in
<sys/mman.h>. Valid values of advice are MADV_NORMAL, MADV_RANDOM, MADV_SEQUENTIAL, MADV_WILLNEED, MADV_DONTNEED, MADV_REMOVE, or MADV_HUGEPAGE.
This call will not generate any errors if the advice is not honored, but it can be used as a hint for performance optimization. For example, MADV_WILLNEED can be used to inform the kernel that an application intends to access the memory addresses in the range and that the kernel should not only immediately load the page from swap into memory but it should keep it in memory even if memory pressure increases in order to avoid having to re-fetch the page from swap.
It is also important to note that the kernel is not obligated to honor the advice, as the kernel can choose to ignore the advice if it needs to free up memory or if the system loading is too high.
void*[U] - Pointer to the starting address of the range.
size_t[U] - Length of the range in bytes.
int[U] - Integer representing an advice on how to handle the memory in the specified address range, defined in
<sys/mman.h>as MADV_NORMAL, MADV_RANDOM, MADV_SEQUENTIAL, MADV_WILLNEED, MADV_DONTNEED, MADV_REMOVE, or MADV_HUGEPAGE.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobe + Kretprobe
To monitor the execution of madvise syscall, analyze arguments and detect usage.
Example Use Case¶
A complex application uses madvise to tell the kernel that it will be accessing a certain address range with hot data, which helps the kernel know that it should not be swapped out until the application no longer needs it.
madvise is prone to TOCTOU vulnerability, in which the behavior of the call may differ from the expecting behavior since the memory state can change between the time it is checked and the time it is used.
- mincore - Determine whether pages are resident in memory
- mremap - Remap an existing memory range
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.