pwrite64 - A system call that writes data from a buffer described by
buf of a given size
count to a given file descriptor
fd at a certain offset
offset in the open file.
pwrite64 system call, like the
write system call, writes data from a buffer described by
buf of a given size
count to a specified file descriptor
pwrite64 system call differs from the
write system call in that it writes a specified number of bytes to an open file descriptor at an offset instead of the current position. This offset can be specified with
offset, a parameter of type
off_t, which is a signed integer integer type frequently used to specify an offset or distance.This behavior is useful if, for example, an application needs to write data to a file at specific locations.
pwrite64 system call is not vulnerable to Time-of-Check Time-of-Use (TOCTOU) because the parameters are evaluated before any action is taken.
int[K] - The file descriptor.
const void*[KU] - Pointer to the buffer containing data for write operation.
size_t[K] - Quantity of data, in bytes, to be written to the file descriptor.
off_t[K] - Specifies the position in the file where the data issued from
bufshould be written.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Used to keep track of all calls to
pwrite64 system call.
Used to observe the start of all the execution of group 2 system calls.
Example Use Case¶
pwrite64 system call can be used by programs that need to modify an existing file in a very precise way. A good example would be a text editor that uses pwrite64 to modify the file at a particular byte offset, ensuring that it keeps the original file structure intact.
Due to its parameters, the
pwrite64 system call can be rather slow when dealing with large files since its read/write operations occur at an offset specified in the parameter
offset; hence, it performs one operation at a time (as opposed to
write system call).
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.