On Tue, 17 Mar 2015 09:14:56 -0500, John McKown <[email protected]> wrote:
>I just had a thought (and it's lonely). You start off APF authorized, >key 8 as a "normal" APF program. You want to run program "B" from the >STEPLIB, but without APF authorization. Perhaps the simplest way is to >use SYNCHX something like: > > LOAD EP=B > ST R0,EPA_B > MODESET KEY=ZERO > USING PSA,0 > L R3,PSATOLD MY TCB > USING TCB,R3 > L R3,TCBJSCB GET JSCB ADDRESS > DROP R3 > ICM R3,B'1000',=X'00' CLEAR HIGH BYTE > USING IEZJSCB,R3 > NI JSCBOPTS,255-JSCBAUTH NOT APF > L R15,EPA_B > SYNCHX (15) INVOKES PROGRAM B IN TCB KEY > OI JSCBOPTS,JSCBAUTH RESTORE APF AUTHORIZATION > MODESET KEY=NZERO > >The SYNCHX is the magic which allows your code to stay key 0 while >invoking the other program "in line" in key 8. When the program >returns, your code is still key 0. At which point you restore APF >authorization and continue on. At which point you have a _major_ system integrity flaw. What about all that key 8 storage your APF-authorized program has been using? The program you SYNCHX'd to is free to overwrite it. You cannot trust any of it, including the initial save area that MVS passed to your program, and where you presumably stored the registers on entry (including the return address). When you go to return to the system it's quite possible that you'll go to an address selected by the rogue routine, and it will be running with APF authority at that point. This can only be fully safe if you never have any key 8 storage, or if you copy all your key 8 data to a system key area before you invoke the unauthorized program, and never use the old key 8 storage again. That would be made a bit easier for you if your program was added to the PPT as running in a system key. Then your initial save area and everything you GETMAIN would be in that system key by default. But if you start out in key 8, you have more work to do. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
