mincore - Read the memory mapping of a given address.
mincore is a Linux system call that retrieves the page-level memory usage of a specified range of virtual addresses. The system call takes 3 arguments; the virtual address at which to start, the length of the mapping to query, and an array of bytes to write the retrieved data to. The system returns a vector of bytes whose bits indicate the usage of pages in the specified address range.
There are some noteworthy edge cases and drawbacks that may come into effect for this system call. It is not designed for large ranges of virtual address, and thus can quickly become slow if affected. Also, the information retrieved may not be up to date when polled, meaning that it may not accurately reflect the usage of the specified virtual address range.
void*[U] - A pointer to the starting virtual address of the memory region to query.
size_t[U] - The length of the memory region to query.
unsigned char*[U] - A pointer to an array of bytes that mincore will write the results to.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To trace and monitor memory usage.
Example Use Case¶
mincore could be used to detect page faults in areas of memory the program is subscribed to. This can be used to help determin specific areas of memory which are actively in-use.
mincore is not designed to determine memory access patterns, as this system call is not able to capture the accessed pages once they have been accessed.
The mincore system call can be used effectively in conjunction with the mprotect and mlock system calls. Mprotect modifies the protection access of a memory region, while mlock locks a memory region in RAM, while mincore can help determine usage of the regions.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.