Hi Paul Yes, anybody can call this PC and it will branch to the address in R1 with Psw Key 0. The target code probably is expected to issue a PR to return to the instruction following the PC .
The System is basically compromised and unsecured Regards, Keven Hall > On Oct 30, 2021, at 09:31, [email protected] wrote: > > . > Hello > > . > I discovered this program and found it interesting. > When invoked from a Non Authorized program it will switch the > calling routine into supervisor state. > . > This is the complete PC Service Routine. > ********************************************************************* > LCLC &CSECT DEFINE LOCAL CSECT VARIABLE > &CSECT SETC 'XMS@SVC' INITIALIZE CSECT SYMBOL > &CSECT AMODE 31 ADDRESSING MODE > &CSECT RMODE ANY RESIDENCY MODE > &CSECT CSECT > J ZGO Jump Around Module Identifier > * > JMODID ID=&CSECT > * > ZGO CNOP 2,4 > LM 1,2,0(1) Load passed parameters > SPKA 0(2) Set PSW key > EREG 2,13 Get caller's registers off stack > BSM 0,1 Branch back to User Code > LTORG Local Litteral Pool > * > XMS@SVCP > END &CSECT > . > The above module resides in LPA and runs as a Non Space Switching Stacking > PC Routine. The ETDEF for this module specifies a System LX. > . > A non APF program can call this PC routine and switch into Supervisor State. > The BSM 0,1 Branches back into user code, which will now be running in > supervisor state. > The User Code would eventually issue a PR instruction to remove the Linkage > Stack Entry. > . > 1st > It is my assessment the above code circumvents MVS integrity protocol. > Is My assessment correct ? > . > . > 2nd For curiosity - > Once this PC routine Branches back to the users code (BSM 0,1), > the user code is running in supervisor state and would issue a PR > instruction to remove the entry from the linkage stack. I find this code very > messy. > How would the user code return to an instruction following the BSM so the PC > Service > Routine would issue the PR instruction ? > . > Paul D'Angelo > *
