remap_file_pages - Map or remap part of a file into the process's address space
remap_file_pages system call changes the protection and mapping of memory pages in the virtual address space of the calling process. It can remap an existing file mapping, create a new one, or unmap a range of pages previously mapped. It can also be used to change the permissions of the mapped pages.
This call provides support for memory mapped files that can be used as shared memory or for other kinds of memory sharing among processes.
An edge-case that can be encountered when using
remap_file_pages is when the requested range of file pages is not available. This can be caused by the underlying file having been truncated, or if the requested mapping overlaps with another existing mapping.
void*[U] - Starting address of the mapping.
size_t[U] - Size of the mapping.
int[U] - Memory protection flags to set for the mapping.
size_t[U] - File offset in bytes corresponding to the start of the mapping.
int[U] - Flags for the mapping. Can be set to 0 for default behavior.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To monitor the
do_mmap_pgoff syscall which is used by the kernel to handle
To monitor the
update_mmap_zero_pfn syscall which is used by the kernel to handle
Example Use Case¶
remap_file_pages can be used when a process needs to share parts of its address space with other processes. This can be done through the use of memory mapped files or shared memory.
Due to its underlying implementation,
remap_file_pages can be vulnerable to TOCTOU races. This means that between the time when the data is read and the data is used, other operations can take place which make the read data obsolete.
mmap: used to create mappings in the virtual address space
mprotect: used to change page permissions
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.