Archive of posts tagged MODESET

Intercepting FIND/BLDL

Posted by on

Now that we know how to intercept SVC calls we can try something more interesting.  When a program is assembled the various macro contained in the source code have to be read from the macro library.  As the assembler reads these macros they are located using SVC 18 (FIND/BLDL).  By intercepting SVC 18 we can list the macros as they are being accessed by the assembler.

First we need to look at the input registers to SVC 18.  Register zero points to a parameter list and register one contains a DCB address or zero.  If the request is for BLDL then the contents register one will be positive.  If the request is for find then contents of register one will be negative.  For this excercise we only care about FIND and not BLDL so we can ignore the parameter list for BLDL.  For a FIND request register zero points to an eight-byte member name.

Now all we have to do is intercept calls to SVC 18 and print out the member name each time we encounter a FIND request.  In order for the assembler to work we will have to reissue the SVC call so the real SVC 18 can locate the member in the PDS.

         MVI   18(R2),X'00'       INTERCEPT SVC 18  BLDL/FIND

First we include SVC 18 in our list of intercepted SVC calls in the screen table.  By setting the corresponding byte in the screen table to X’00’ instead of X’80’ we will cause SVC 18 to be intercepted.

         CLI   0(R9),18           BLDL/FIND
         BE    SVC18

In our SVC processing routine we need to check for SVC number 18 as the interrupt code in the RB.

SVC18    DS    0H                          
         LR    R8,R0              SAVE R0  
         LR    R9,R1              SAVE R1  
         LR    R10,R15            SAVE R15

To process our SVC 18 interrupt we first save the parameter registers passed to the SVC routine.

          LTR   R1,R1                                 
          BP    SKIP18                  BRANCH IF BLDL

Now we check to see if the request is for BLDL or for FIND.  For now we will ignore BLDL requests.

         ST    R0,FWORD           SAVE R0 CONTENTS          
         UNPK  WORK(9),FWORD(5)   UNPACK                    
         TR    WORK(8),HEXTAB-C'0'                          
         MVC   WTO18+18(8),WORK                             
*                                                           
         ST    R1,FWORD                                     
         UNPK  WORK(9),FWORD(5)                             
         TR    WORK(8),HEXTAB-C'0'                          
         MVC   WTO18+30(8),WORK                             
*                                                           
         MVC   WTO18+39(8),0(R8)       COPY FIND MEMBER NAME
*                                                           
*               8.10...15...20...25...30...35...40...45...50
WTO18    WTO   'SVC 18 R0=******** R1=******** ********',   
               ROUTCDE=(1,11)

If it is a FIND request we make the contents of registers zero and one printable.  We do this by first storing the contents of the register into a full word.  Next we unpack the full word and finally we have to translate it to make it printable.  The result is copied into the message area of a WTO along with the member name which is pointed to by register zero (which was copied into register 8 for save keeping).  One think to note here is that we are not writing reentrant code.  This is not the way a SVC routine should be written but for now we can get away with it.

SKIP18   DS    0H                                             
         LR    R0,R8                                          
         LR    R1,R9                                          
         LR    R15,R10                                        
         NI    TCBFLGS7,255-(TCBSVCS)  TURN OFF SVC SCREENING 
         SVC   18                                             
         OI    TCBFLGS7,TCBSVCS        TURN ON SVC SCREENING  
         LR    R14,R11            RESTORE RETURN ADDRESS      
         BR    R14                RETURN TO CALLER

Finally we reissue the SVC call.  First we restore the parameter registers.  In order to allow the SVC call to actually go through instead of being intercepted again, and causing an endless loop, we have to temporarly disable screening by clearing the TCBSVCS bit.  Once we issue the SVC we can once again set the bit to resume screening.  All that remins is to do is to restore the return address and return to the caller.

        MODESET MODE=PROB        GIVE UP SUPERVISOR STATE

In our previous test of SVC screening we reset the APF Authorization bit in the JSCB using my User SVC 245 after getting into supervisor state using MODESET.  Before transfering control to the assembler we need to issue MODESET to restore us to problem state.

         LR    R1,R9              RESTORE PARM REG             
         LINK  EP=IFOX00          TRANSFER CONTROL TO ASSEMBLER

Before calling the assember we need to restore the parameter register contents which was saved off in register nine.

JOB 6911  $HASP373 RUNSVX   STARTED - INIT 12 - CLASS A - SYS TCS3
JOB 6911   6.02.51   0.00.00   0.00.00  0000   RUNSVX    COMPRESS 
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IHARB                    
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IKJRB                    
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IEZXRB                   
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IEZBITS                  
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IKJTCB                   
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 TESTAUTH                 
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IHBERMAC                 
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 WTO                      
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IHBINNRA                 
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 DETACH                   
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 WAIT                     
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 ATTACH                   
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 IHBOPLST                 
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 GETMAIN                  
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 MODESET                  
JOB 6911  SVC 18 R0=00096C68 R1=FFF69718 SAVE                     
JOB 6911   6.02.51   0.00.00   0.00.00  0000   RUNSVX    ASM     
JOB 6911   6.02.51   0.00.00   0.00.00  0000   RUNSVX    ########
JOB 6911  $HASP395 RUNSVX   ENDED

After assembling and link editing I modified my assembler JCL and replaced the assembler program name (EXEC PGM=IFOX00) with my SVC screening program (EXEC PGM=SVCX) and added a STEPLIB.  Here are the results of running it.  We get a list of all the macros, including the inner macros, that were used in the assembly.

SVC Screening Propagation

Posted by on

We now have SVC screening working but only for one task (TCB).  If we attach a subtask the SVC screening fields are not propagated to the new task.  In later versions of MVS there is an option to set an additional flag in the TCB that will cause ATTACH processing to copy the SVC screening related fields.  We could modify the ATTACH SVC routine to propagate these fields, in fact it would be pretty simple.  Instead we will take a more interesting, and complex way to solve this problem.  We will use SVC screening to intercept ATTACH SVC calls and propagate the SVC screening fields in our intercept routine.

         MVI   42(R2),X'00'       INTERCEPT SVC 42  ATTACH

First we set the corresponding byte in our screen table for SVC 42 (ATTACH).

         CLI   0(R9),42           ATTACH 
         BE    SVC42

In our intercept routine we check for SVC 42 and branch to process it.

SVC42    DS    0H                                       
         LR    R14,R11            RESTORE RETURN ADDRESS
         L     R6,=V(SVX42)       SVC 42 ROUTINE        
         BR    R6                 TRANSFER CONTROL

First we restore the return address to register 14 and then we load the address of our SVC 42 processing routine into register 6 and branch to it. Entry to our routine will be exactly like a SVC call entry.

SVX42    CSECT ,                                         
         USING SVX42,R6           ESTABLISH BASE REGISTER
         USING TCB,R4             MAP TCB                
         USING RBSECT,R5          MAP RB

We start by establishing a base register and mapping the TCB and RB control blocks.

         LR    R8,R14             SAVE RETURN ADDRESS  
         LR    R9,R1              SAVE PARM LIST       
         LR    R10,R15            SAVE ATTACH PARM LIST

Next we save the return address contained in register 14, the parameter list for the attached program contained in register 1, and the parameter list for the ATTACH SVC contained in register 15.

         MODESET EXTKEY=RBT234,WORKREG=2  GET CALLERS PROT KEY

Now we need to get into the storage protect key of the issuer or the SVC. For this we use the MODESET macro and specify EXTKEY=RBT234 indicating the SVC is a type 2, 3, or 4. We also specify register 2 is to be used as a work register.

         GETMAIN R,LV=ATLSTSIZ+4,SP=229              
*                                                    
         LR    R7,R1              POINT TO WORK AREA 
         USING ATTCHLST,R7

Now we getmain some storage to make a copy of the ATTACH parameter list. This is necessary because we will copy the parameter list and modify it before reissuing the SVC. We add four additional bytes to be used by our intercept routine. The allocated storage will be in the same key as the issuer of the SVC. The copy of the parameter area is pointed to by register 7.

         MVI   ATTCHLST+ATLSTSIZ,X'00'   RESET AUTH SWITCH     
*                                                              
         TESTAUTH FCTN=1,STATE=YES,KEY=YES,RBLEVEL=2           
*                                                              
         LTR   R15,R15             IS CALLER AUTHORIZED        
         BNZ   AUTH010             NO - BRANCH                 
*                                                              
         OI    ATTCHLST+ATLSTSIZ,X'80'   SHOW CALLER AUTHORIZED
AUTH010  DS    0H

We will need to know if the issuer of the SVC is APF authorized or not. First we set our flag byte, past the end of the parameter list, to zero indicating the caller is not authorized. Next we use the TESTAUTH macro to determine if the caller was APF authorized. We have the TESTAUTH routine check the JSCB APF authorization bit as well as checking for supervisor state and PSW protect key less than eight. If any of these conditions are true the caller is considered authorized and we set our flag bit.

         MVC   0(ATLSTSIZ,R7),0(R10)    COPY CALLERS PARM LIST

Now we make a copy of the ATTACH parameter list.

        
         TM    ATTCHLST+ATLSTSIZ,X'80'  IS CALLER AUTHORIZED           
         BO    AUTH020                  YES - BRANCH                   
***********************************************************************
*                  RESET ALL AUTHORIZED PARAMETERS                     
***********************************************************************
         NI    ATINDS,255-(ATJSTCB+ATMODE+ATSVAREA+ATKEY+ATDISP+ATJSCB)
         NI    ATFLAGS1,255-ATRSAPF                                    
         XC    ATJSCBA,ATJSCBA                                         
         XC    ATTNSHLV,ATTNSHLV                                       
         XC    ATTID,ATTID                                             
         B     AUTH030             ATDISP ONLY VALID IF APF AUTH       
*                                                                      
*                                                                      
AUTHO20  DS    0H                                                      
         TM    ATINDS,ATDISP       WAS NO DISP SPECIFIED               
         BNO   AUTH030             NO - BRANCH                         
*                                                                      
         OI    ATTCHLST+ATLSTSIZ,X'40'   REMEMBER NO DISP              
AUTH030  DS    0H

If the caller is not APF authorized we clear all of the flags that are only valid for authorized callers and are ignored otherwise. If the caller is authorized we check to see if the ATDISP flag was set indicating the TCB should not be automatically made dispatchable. This is done because we will force this bit before reissuing ATTACH.

         OI    ATINDS,ATDISP      FORCE NO DISPATCH

Now we set the ATDISP flag in our copy of the ATTACH parameter list. Setting this flag bit will make the TCB initially marked non-dispatchable. This is necessary to allow us to set the SVC screening fields in the new TCB before be begins execution.

         SPKA 0                   GET INTO KEY ZERO            
         NI   TCBFLGS7,255-TCBSVCS  TURN OFF SVC SCREENING     
         MODESET EXTKEY=RBT234,WORKREG=2   BACK TO CALLERS KEY 
*                                                              
         LR   R15,R7              OUR UPDATED ATTACH PARM LIST 
         LR   R1,R9               CALLERS R1                   
         SVC  42                  ATTACH                       
         LR   R11,R1              SAVE NEW TCB ADDRESS         
         LR   R12,R15             SAVE RC

Now we get ready to reissue the ATTACH SVC. First we get back into protect key zero. Next we turn off SVC screening for the current TCB so we will not reintercept the call. We then get back into the caller’s protect key using MODESET. We restore the parameter registers 1 and 15 before call SVC 42. We then save the return parameter register values so they can be returned to our caller later.

         SPKA  0                  BACK TO KEY ZERO                 
         OI    TCBFLGS7,TCBSVCS   TURN SVC SCREENING BACK ON       
         LR    R1,R11             RESTORE PARM                     
         LTR   R15,R12            CHECK RC                         
         BNZ   FREEEXIT           EXIT IF NOT ZERO                 
*                                                                  
         L     R1,TCBSVCA2        GET SCREEN TABLE ADDRESS         
         DROP  R4                                                  
         USING TCB,R11            MAP NEW TCB                      
*                                                                  
         ST    R1,TCBSVCA2        STORE SCREEN TABLE ADDR INTO TCB 
         OI    TCBFLGS7,TCBSVCS   TURN ON SVC SCREENING

Now we go back to key zero and restore SVC screening for the current TCB. We then check the return code to see if the ATTACH was successful. If it failed we can to clean up and exit. If it was successful we copy the screen table address from the current TCB into the newly created TCB and set the TCBSVCS flag to active screening.

          L    R15,0(,R11)        POINT TO RB FOR NEW TASK 
          LM   R0,R3,RBGRSAVE     COPY REGISTERS TO NEW RB 
          STM  R0,R3,RBGRSAVE-RBSECT(R15)                  
          LM   R0,R3,RBGRSAVE+16                           
          STM  R0,R3,RBGRSAVE-RBSECT+16(R15)               
          LM   R0,R3,RBGRSAVE+32                           
          STM  R0,R3,RBGRSAVE-RBSECT+32(R15)

Now we copy the register contents from request block into the RB for the newly created task. This will make the initial register contents of the new task appear the same as if we had not intercepted the ATTACH SVC. It really should not make any difference since contents of the registers other than 1, 13, 14, and 15 are not guarenteed to contain any specific values. Still, by copying the contents of registers 0 through 12 we stay complete compatable with the normal operation of ATTACH.

         TM    ATTCHLST+ATLSTSIZ,X'80'   IS CALER AUTH            
         BO    AUTH040                   YES - NO RESET NEEDED    
*                                                                 
         L     R1,TCBGRS12        GET SVRB ROUTINE R12            
         NI    8(R1),255-X'80'    INDICATE ATTACHING TASK NOT AUTH

We have some attitional cleaup to do. Since we always reissue the ATTACH SVC and since we are always in supervisor mode when we reissue the SVC, ATTACH processing always sets up the new TCB as though it was created by an authorized program. This will cause problems when the new TCB is dispatched. If the caller is not authorized we need to reset a flag bit that is passed to the second half to ATTACH processing. When the new TCB is dispatched the initial execution point is in the ATTACH SVC where a new save area is allocated before passing control to a special entry point in the program loader. The program loader checks this flag bit to know if the caller of ATTACH was authorized or not. Since we reissued the ATTACH SVC this bit is always set. Here we reset it to reflect the state of the caller of the original SVC.

         SLR   R1,R1              ZERO R1                  
         ICM   R1,B'0111',ATSTAIXT  ANY STAI/ESTAI         
         BZ    AUTH040              NO - SKIP              
*                                                          
         L     R1,TCBSTAB         POINT TO SCB CHAIN       
AUTH035  DS    0H                                          
         ICM   R1,B'0111',1(R1)   POINT TO NEXT ENTRY      
         BZ    AUTH040            EXIT IF SCB NOT FOUND    
*                                                          
         USING SCB,R1                                      
*                                                          
         CLC   SCBEXIT+1(3),ATSTAIXT  IS THIS OUR SCB ENTRY
         BNE   AUTH035                NO - TRY NEXT        
*                                                          
         NI    SCBFLGS2,255-(SCBSUPER)  TURN OFF SUPER BIT 
AUTH040  DS    0H

We have one last thing to clean up before we can let the new TCB dispatch. If a STAEI/ESTAI was specified on the ATTACH we need to reset the supervisor mode bit in the STAE Control Block (SCB) if our caller was not authorized. Failre to properly set this bit could allow an unauthorized program to receive control in authorized mode when the ESTAE exit is called. If a STAEI/ESTAEI exit was specified on the ATTACH we loop through the SCB chain to locate the associated SCB and clear the SCBSUPER bit.

         TM    ATTCHLST+ATLSTSIZ,X'40'  SHOULD WE LEAVE NON-DISP 
         BO    AUTH050                  YES - BRANCH             
*                                                                
         STATUS RESET,ND,(R11),(12)                              
AUTH050  DS    0H

Now unless the caller was authorized AND specified the new task should not dispatch we now issue the STATUS macro to reset the task dispatchability status. This will allow the newly created task to begin execution.

FREEEXIT DS    0H                                             
         DROP  R11                                            
         USING TCB,R4                                         
         MODESET EXTKEY=RBT234,WORKREG=2  GET INTO CALLERS KEY
*                                                             
         FREEMAIN R,LV=ATLSTSIZ,A=(R7),SP=229                 
*                                                             
         SPKA  0                  BACK TO KEY ZERO

Now all that is left is to clean up before exiting. First we use MODESET to get back into the caller’s key so we can FREEMAIN the work area we previously allocated with GETMAIN. We then go back to key zero.

         LR    R1,R11             SET TCB ADDRESS        
         LR    R15,R12            SET ATTACH RC          
SVCEXIT  DS    0H                                        
         SPKA  0                  GET INTO KEY ZERO      
         LR    R14,8              RESTORE RETURN ADDRESS 
         BR    R14

Before exiting we need to restore the return values for register 1 and 15 that were previously saved.

         IKJTCB ,   
         IKJRB ,    
         IEZATTCH , 
         IEZJSCB ,  
         IHASCB ,

The control block mapping macros and register equates (not shown here) complete the SVC 42 intercept code.

         ATTACH EP=IFOX00,ECB=ECB                                     
         ST    R1,PTRTCB          SAVE TCB ADDRESS 
         WAIT  1,ECB=ECB                           
         DETACH PTRTCB            DETACH TCB

Now if we replace the LINK=IFOX00 to an ATTACH we can test the SVC 42 intercept logic.

JOB 6912  $HASP373 RUNSVX   STARTED - INIT 12 - CLASS A - SYS TCS3
JOB 6912  20.04.34   0.00.00   0.00.00  0000   RUNSVX    COMPRESS 
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IHARB                    
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IKJRB                    
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IEZXRB                   
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IEZBITS                  
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IKJTCB                   
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 TESTAUTH                 
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IHBERMAC                 
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 WTO                      
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IHBINNRA                 
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 DETACH                   
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 WAIT                     
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 ATTACH                   
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 IHBOPLST                 
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 GETMAIN                  
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 MODESET                  
JOB 6912  SVC 18 R0=00096C68 R1=FFF69718 SAVE                     
JOB 6912  20.04.34   0.00.00   0.00.00  0000   RUNSVX    ASM     
JOB 6912  20.04.34   0.00.00   0.00.00  0000   RUNSVX    ########
JOB 6912  $HASP395 RUNSVX   ENDED

Upon execution we see that SVC 42 was intercepted and SVC screening was propagated since we are still intercepting the FIND SVC calls.