The key is in the RBOPSW of the callers RB. As for the byte count, MVCSK uses the same format of the length in the register as you would use in EX instruction, 1 less than the actual length. Also, if you look at the assembly listing for an MVC, for example MVC 0(8,R3),0(R8) the assembler will generate D207 3000 8000, so it uses the a length of 1 less than the length.
Wayne Driscoll Note: All opinions strictly my own. On Fri, Apr 26, 2024 at 2:21 PM Erik Janssen < [email protected]> wrote: > Hello List, > > Is there way to determine the key that the caller of a SVC is executing > in? For a PC routine doing an ESTA and some shifting seems to be the way to > find the key, but I'm unsure how the same could be done from a user SVC. > Is it somewhere in the SVRB? > Also, I see this example in the authorized code scanner: > > https://www.ibm.com/docs/en/zos/2.4.0?topic=fixes-fetch-vulnerability-example > > vulnerable: > LA R3,copyparms > MVC 0(4,R3),0(R2) > > fixed: > LHI R3,1 > ESTA R0,R3 > SRDL R0,48 > LHI R0,3 > LA R3,copyparms > MVCSK 0(R3),0(R2) > > I noticed that the length loading in R0 for the MVCSK is 3, while in the > vulnerable mvc example the length is 4. > The POP for MVCSK says: > L specifies the number of bytes to the right of the first > byte of each operand. Therefore, the length in bytes > of each operand is 1-256, corresponding to a length > code in L of 0-255. > > Is there any logic behind why MVC uses the actual byte count and MVCSK > uses the 'number of bytes to the right'? > > Kind regards, > Erik Janssen. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Wayne Driscoll Software Engineer | Mainframe Software Division Broadcom Software *Office: *630-300-1931* Mobile:* 630-247-1632 [email protected] -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
