On 09/16/2015 11:29 AM, Paul Koning wrote:
I never had any incentive to look for holes in CDC operating systems,
but I still remember a simple hole I found in OS/360, about a month
after I first wrote a program for that OS. It allowed anyone to run
supervisor mode code with a couple dozen lines of assembler source
code. I found it on OS/PCP 19.6, but I noticed in graduate school
that it still worked on the university's 370 running OS/MVS 21.7.
(The magic? Use the OS service to give a symbolic name to a location
in your code, with a well chosen name, then give that name as the
name of the "start I/O appendage" in an EXCP style I/O request.)
I recall going through a dump of a 360/40 running DOS and digging out
the names of the various transient phases. Lots of interesting stuff
there--and DOS did nothing to verify that a phase could be invoked only
internally.
At CDC a couple of us were dealing with a SCOPE 3.1.6 or 3.2 version (I
don't recall which) and decided to see what would happen if one combined
the RPV PP call (job reprieve) with the RSJ (reschedule job) call.
What happened was what you'd expect to happen--said job would keep
spawning copies of itself--and like the sorcerer's apprentice, spawned
another new copy when the operator tried to kill the job. The simple
way to kill the thing was to deadstart--there may have been others, but
the input queue filled up pretty quickly.
We tried this out on dedicated block time and were delighted with its
operation. Some idiot in CPD tried it on COMSOURCE time was was told in
no uncertain words that severe disciplinary action would be taken should
he try that one again.
SCOPE 3.4 introduced the "Read List String" CIO call, which was intended
for use by the loader. The idea being that you presented 1SP with a
list of disk addresses to read into a single buffer to build the
executable. Someone, noticing that this was a linked list, decided to
see what would happen if the list looped back on itself. Of course, the
obvious *did* happen with 1SP so distracted that no other disk request
would be honored, including PP overlays.
That reminded me of the S/360 trick of using chained CCWs to ring the
bell on the 1052 endlessly.
Fun times.
--Chuck
