Re: finding callers key in svc
The key is in the RBOPSW of the callers RB. As for the byte count, MVCSK uses the same format of the length in the register as you would use in EX instruction, 1 less than the actual length. Also, if you look at the assembly listing for an MVC, for example MVC 0(8,R3),0(R8) the assembler will generate D207 3000 8000, so it uses the a length of 1 less than the length. Wayne Driscoll Note: All opinions strictly my own. On Fri, Apr 26, 2024 at 2:21 PM Erik Janssen < 062c999269e8-dmarc-requ...@listserv.ua.edu> wrote: > Hello List, > > Is there way to determine the key that the caller of a SVC is executing > in? For a PC routine doing an ESTA and some shifting seems to be the way to > find the key, but I'm unsure how the same could be done from a user SVC. > Is it somewhere in the SVRB? > Also, I see this example in the authorized code scanner: > > https://www.ibm.com/docs/en/zos/2.4.0?topic=fixes-fetch-vulnerability-example > > vulnerable: >LA R3,copyparms >MVC 0(4,R3),0(R2) > > fixed: > LHI R3,1 > ESTA R0,R3 > SRDL R0,48 > LHI R0,3 > LA R3,copyparms > MVCSK 0(R3),0(R2) > > I noticed that the length loading in R0 for the MVCSK is 3, while in the > vulnerable mvc example the length is 4. > The POP for MVCSK says: > L specifies the number of bytes to the right of the first > byte of each operand. Therefore, the length in bytes > of each operand is 1-256, corresponding to a length > code in L of 0-255. > > Is there any logic behind why MVC uses the actual byte count and MVCSK > uses the 'number of bytes to the right'? > > Kind regards, > Erik Janssen. > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Wayne Driscoll Software Engineer | Mainframe Software Division Broadcom Software *Office: *630-300-1931* Mobile:* 630-247-1632 wayne.drisc...@broadcom.com -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
What type of SVC? The SVRB only exists for 3, 3 and 4. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Erik Janssen <062c999269e8-dmarc-requ...@listserv.ua.edu> Sent: Friday, April 26, 2024 3:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: finding callers key in svc Hello List, Is there way to determine the key that the caller of a SVC is executing in? For a PC routine doing an ESTA and some shifting seems to be the way to find the key, but I'm unsure how the same could be done from a user SVC. Is it somewhere in the SVRB? Also, I see this example in the authorized code scanner: https://www.ibm.com/docs/en/zos/2.4.0?topic=fixes-fetch-vulnerability-example vulnerable: LA R3,copyparms MVC 0(4,R3),0(R2) fixed: LHI R3,1 ESTA R0,R3 SRDL R0,48 LHI R0,3 LA R3,copyparms MVCSK 0(R3),0(R2) I noticed that the length loading in R0 for the MVCSK is 3, while in the vulnerable mvc example the length is 4. The POP for MVCSK says: L specifies the number of bytes to the right of the first byte of each operand. Therefore, the length in bytes of each operand is 1-256, corresponding to a length code in L of 0-255. Is there any logic behind why MVC uses the actual byte count and MVCSK uses the 'number of bytes to the right'? Kind regards, Erik Janssen. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
It is a type 3 svc. I also saw an example that uses the TCBPKF field to determine the key. So I guess that is also an option? On Fri, 26 Apr 2024 20:20:26 +, Seymour J Metz wrote: >What type of SVC? The SVRB only exists for 3, 3 and 4. > >-- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
NO! Use RBOPSW; the caller might not be in the PSW key. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Erik Janssen <062c999269e8-dmarc-requ...@listserv.ua.edu> Sent: Friday, April 26, 2024 4:35 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc It is a type 3 svc. I also saw an example that uses the TCBPKF field to determine the key. So I guess that is also an option? On Fri, 26 Apr 2024 20:20:26 +, Seymour J Metz wrote: >What type of SVC? The SVRB only exists for 3, 3 and 4. > >-- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
On Fri, 26 Apr 2024 21:36:36 +, Seymour J Metz wrote: >NO! Use RBOPSW; the caller might not be in the PSW key. > >-- Could you explain in what situation that happens? Is that when the task is multihreaded and another thread has changed the key in the psw in between the call to the svc and the time of looking at the psw? Thank you all for the quick reponses by the way :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
MODEST. An SVC that calls another SVC. ... Multithreading would normally involve multiple TCBs. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Erik Janssen <062c999269e8-dmarc-requ...@listserv.ua.edu> Sent: Friday, April 26, 2024 6:02 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc On Fri, 26 Apr 2024 21:36:36 +, Seymour J Metz wrote: >NO! Use RBOPSW; the caller might not be in the PSW key. > >-- Could you explain in what situation that happens? Is that when the task is multihreaded and another thread has changed the key in the psw in between the call to the svc and the time of looking at the psw? Thank you all for the quick reponses by the way :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
is there any logic behind why MVC uses the actual byte count and MVCSK uses the 'number of bytes to the right'? As Wayne D pointed out, for MVC the user codes "n" and the instruction text uses "n-1". This is almost certainly for effectiveness. Having 8 bits of instruction text lets you cover a range of 1-256 bytes instead of 0-255 bytes. You would have been very unhappy if you could only move 255 bytes with a single MVC if moving a long string (particularly in the days before MVCL). FWIW, this is why if you EXecute an MVC, the value you put into the register is "n-1". For MVCSK/MVCDK, the user does not code a length, and the length is not in the instruction text. The length is in a register. So the user puts the value there by a separate instruction. So both actually use "number of bytes to the right" (or, as I think of it, "length minus one"). You could ask "for MVCSK/MVCDK, since the length is in a register, why did you go with n-1 in the register instead of n?". I don't recall exactly but it was likely for either (or both) of consistency with MVC (such as the execute case) or for cost savings (perhaps being able to share part of the implementation). As to the initial question, as pointed out, it depends on the type of the SVC. The SVC owner knows what type it is (because they defined it) and can look in the right place for that type of SVC, just as they look in the right place for the caller's regs (for which the answer is different than the psw/key, but similarly depends on the type of the SVC. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
> >As to the initial question, as pointed out, it depends on the type of the SVC. >The SVC owner knows what type it is (because they defined it) and can look in >the right place for that type of SVC, just as they look in the right place for >the caller's regs (for which the answer is different than the psw/key, but >similarly depends on the type of the SVC. > I had the idea that this code in the SVC would give me the key the SVC caller was executing in: USING RBBASIC,R5 POINT TO REQUEST BLOCK L R7,RBLINK LOAD CALLER RB IN REG 7 DROP R5 DROP SVC RB MAPPING USING RBBASIC,R7 AND NOW MAP CALLER RB L R1,RBOPSW GET CALLER PSW AND PUT IN REG 1 N R1,=X'00F0' ONLY PSW KEY SRL R1,16 SHIFT TO 00K0 STR1,KEY STORE CALLER KEY DCH'0'FORCE ABEND However, when I call this SVC from an problem program the switches to key 9 before the call: SPKA X'90'(0) SWITCH TO KEY 9 SVC 255 I see that R1 has a value of x'0080' (key 8) at the time of the abend, where I was expecting x'0090'. Is see that it is possible that there are more request blocks. I'm I not looking at the right one, and if so, how do you know if you reached the top RB, or is my approach really wrong? Kind regards, Erik Janssen. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
If you are in a Type 2, 3 or 4 SVC, the PSW at the time of the SVC instruction is in the SVRB whose address is in R5 upon entry, that is the RBOPSW you would want to interrogate. Your code is looking at the PSW at the time the callers RB was created, mostly via a LINK or ATTACH SVC, since it was a problem program. Wayne Driscoll Note: all opinions are strictly my own. On Tue, Apr 30, 2024 at 4:02 AM Erik Janssen < 062c999269e8-dmarc-requ...@listserv.ua.edu> wrote: > > > > >As to the initial question, as pointed out, it depends on the type of the > SVC. The SVC owner knows what type it is (because they defined it) and can > look in the right place for that type of SVC, just as they look in the > right place for the caller's regs (for which the answer is different than > the psw/key, but similarly depends on the type of the SVC. > > > > > I had the idea that this code in the SVC would give me the key the SVC > caller was executing in: > > USING RBBASIC,R5 POINT TO REQUEST BLOCK > L R7,RBLINK LOAD CALLER RB IN REG 7 > DROP R5 DROP SVC RB MAPPING > USING RBBASIC,R7 AND NOW MAP CALLER RB > L R1,RBOPSW GET CALLER PSW AND PUT IN REG 1 > N R1,=X'00F0' ONLY PSW KEY > SRL R1,16 SHIFT TO 00K0 > STR1,KEY STORE CALLER KEY > DCH'0'FORCE ABEND > > However, when I call this SVC from an problem program the switches to key > 9 before the call: > > SPKA X'90'(0) SWITCH TO KEY 9 > SVC 255 > > I see that R1 has a value of x'0080' (key 8) at the time of the abend, > where I was expecting x'0090'. > Is see that it is possible that there are more request blocks. I'm I not > looking at the right one, and if so, how do you know if you reached the top > RB, or is my approach really wrong? > > Kind regards, > > Erik Janssen. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Wayne Driscoll Software Engineer | Mainframe Software Division Broadcom Software *Office: *630-300-1931* Mobile:* 630-247-1632 wayne.drisc...@broadcom.com -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
I must be doing something wrong, because if I do that it indicates key 0. I was expecting key 9 somewhere... On Tue, 30 Apr 2024 08:50:13 -0500, Wayne Driscoll wrote: >If you are in a Type 2, 3 or 4 SVC, the PSW at the time of the SVC >instruction is in the SVRB whose address is in R5 upon entry, that is the >RBOPSW you would want to interrogate. Your code is looking at the PSW at >the time the callers RB was created, mostly via a LINK or ATTACH SVC, since >it was a problem program. >Wayne Driscoll >Note: all opinions are strictly my own. > >On Tue, Apr 30, 2024 at 4:02 AM Erik Janssen < >062c999269e8-dmarc-requ...@listserv.ua.edu> wrote: > >> >> > >> >As to the initial question, as pointed out, it depends on the type of the >> SVC. The SVC owner knows what type it is (because they defined it) and can >> look in the right place for that type of SVC, just as they look in the >> right place for the caller's regs (for which the answer is different than >> the psw/key, but similarly depends on the type of the SVC. >> > >> >> >> I had the idea that this code in the SVC would give me the key the SVC >> caller was executing in: >> >> USING RBBASIC,R5 POINT TO REQUEST BLOCK >> L R7,RBLINK LOAD CALLER RB IN REG 7 >> DROP R5 DROP SVC RB MAPPING >> USING RBBASIC,R7 AND NOW MAP CALLER RB >> L R1,RBOPSW GET CALLER PSW AND PUT IN REG 1 >> N R1,=X'00F0' ONLY PSW KEY >> SRL R1,16 SHIFT TO 00K0 >> STR1,KEY STORE CALLER KEY >> DCH'0'FORCE ABEND >> >> However, when I call this SVC from an problem program the switches to key >> 9 before the call: >> >> SPKA X'90'(0) SWITCH TO KEY 9 >> SVC 255 >> >> I see that R1 has a value of x'0080' (key 8) at the time of the abend, >> where I was expecting x'0090'. >> Is see that it is possible that there are more request blocks. I'm I not >> looking at the right one, and if so, how do you know if you reached the top >> RB, or is my approach really wrong? >> >> Kind regards, >> >> Erik Janssen. >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > > >-- >Wayne Driscoll >Software Engineer | Mainframe Software Division >Broadcom Software > >*Office: *630-300-1931* Mobile:* 630-247-1632 >wayne.drisc...@broadcom.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
I believe the PSW will be in the PRB rather than the SVRB; the registers will be in the SVRB. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Erik Janssen Sent: Tuesday, April 30, 2024 6:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc I must be doing something wrong, because if I do that it indicates key 0. I was expecting key 9 somewhere... On Tue, 30 Apr 2024 08:50:13 -0500, Wayne Driscoll wrote: >If you are in a Type 2, 3 or 4 SVC, the PSW at the time of the SVC >instruction is in the SVRB whose address is in R5 upon entry, that is >the RBOPSW you would want to interrogate. Your code is looking at the >PSW at the time the callers RB was created, mostly via a LINK or ATTACH >SVC, since it was a problem program. >Wayne Driscoll >Note: all opinions are strictly my own. > >On Tue, Apr 30, 2024 at 4:02 AM Erik Janssen < >062c999269e8-dmarc-requ...@listserv.ua.edu> wrote: > >> >> > >> >As to the initial question, as pointed out, it depends on the type >> >of the >> SVC. The SVC owner knows what type it is (because they defined it) >> and can look in the right place for that type of SVC, just as they >> look in the right place for the caller's regs (for which the answer >> is different than the psw/key, but similarly depends on the type of the >> SVC. >> > >> >> >> I had the idea that this code in the SVC would give me the key the >> SVC caller was executing in: >> >> USING RBBASIC,R5 POINT TO REQUEST BLOCK >> L R7,RBLINK LOAD CALLER RB IN REG 7 >> DROP R5 DROP SVC RB MAPPING >> USING RBBASIC,R7 AND NOW MAP CALLER RB >> L R1,RBOPSW GET CALLER PSW AND PUT IN REG 1 >> N R1,=X'00F0' ONLY PSW KEY >> SRL R1,16 SHIFT TO 00K0 >> STR1,KEY STORE CALLER KEY >> DCH'0'FORCE ABEND >> >> However, when I call this SVC from an problem program the switches to >> key >> 9 before the call: >> >> SPKA X'90'(0) SWITCH TO KEY 9 >> SVC 255 >> >> I see that R1 has a value of x'0080' (key 8) at the time of the >> abend, where I was expecting x'0090'. >> Is see that it is possible that there are more request blocks. I'm I >> not looking at the right one, and if so, how do you know if you >> reached the top RB, or is my approach really wrong? >> >> Kind regards, >> >> Erik Janssen. >> >> - >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO >> IBM-MAIN >> > > >-- >Wayne Driscoll >Software Engineer | Mainframe Software Division Broadcom Software > >*Office: *630-300-1931* Mobile:* 630-247-1632 >wayne.drisc...@broadcom.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- This e-mail message has been scanned and cleared by Google Message Security and the UNICOM Global security systems. This message is for the named person's use only. If you receive this message in error, please delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
USING RBBASIC,R5 POINT TO REQUEST BLOCK LR7,RBLINK LOAD CALLER RB IN REG 7 DROP R5 DROP SVC RB MAPPING USING RBBASIC,R7 AND NOW MAP CALLER RB LR1,RBOPSW GET CALLER PSW AND PUT IN REG 1 NR1,=X'00F0'ONLY PSW KEY SRL R1,16 SHIFT TO 00K0 *STR1,KEY STORE CALLER KEY DCH'0'FORCE ABEND If your SVC is a type 2/3/4 SVC, the code works. I can't speak to how you are debugging or what you are seeing in a dump because you have not shared any of that information. You could even try this without needing your own SVC by having your code in a LINK target, at least to verify that you are seeing the PSW of the SVC issuer (SVC 6 in the simplest LINK case). You wouldn't have R5 set on input but can easily pick that up via (IHAPSA) PSATOLD -> (IKJTCB) TCBRBP. It is in general poor form to use RBLINK rather than RBLINKB unless AMODE 24, but in your case you would know that the caller's RB is not waiting so the high byte will have a 0 wait count so can get away with using the 4-byte name. These days, the L/N/SRL has many better alternatives, such as LLC (of the 2nd byte of RBOPSW) / NILL (to clear the low 4 bits if for some reason you need to do so). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
Even on a S/360 that code is inefficient, but still valid. USING RBBASIC,R5 POINT TO REQUEST BLOCK LR7,RBLINK LOAD CALLER RB IN REG 7 DROP R5 DROP SVC RB MAPPING USING RBBASIC,R7 AND NOW MAP CALLER RB SR R1,R1 ICR1,RBOPSWB2Key and flags NR1,=XL4'F0' Isolate PSW KEY *STR1,KEY STORE CALLER KEY DCH'0'FORCE ABEND As a matter of style I would probably have written USING RBBASIC,R5 SVRB address set on entry LR7,RBLINK CALLER's RB CALLER USING RBBASIC,R7 SR R1,R1 ICR1,CALLER.RBOPSWB2Key and flags NR1,=XL4'F0' Isolate PSW KEY *STR1,KEY STORE CALLER KEY DCH'0'FORCE ABEND I would take a closer look at the SPKA code. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Peter Relson Sent: Wednesday, May 1, 2024 8:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc USING RBBASIC,R5 POINT TO REQUEST BLOCK LR7,RBLINK LOAD CALLER RB IN REG 7 DROP R5 DROP SVC RB MAPPING USING RBBASIC,R7 AND NOW MAP CALLER RB LR1,RBOPSW GET CALLER PSW AND PUT IN REG 1 NR1,=X'00F0'ONLY PSW KEY SRL R1,16 SHIFT TO 00K0 *STR1,KEY STORE CALLER KEY DCH'0'FORCE ABEND If your SVC is a type 2/3/4 SVC, the code works. I can't speak to how you are debugging or what you are seeing in a dump because you have not shared any of that information. You could even try this without needing your own SVC by having your code in a LINK target, at least to verify that you are seeing the PSW of the SVC issuer (SVC 6 in the simplest LINK case). You wouldn't have R5 set on input but can easily pick that up via (IHAPSA) PSATOLD -> (IKJTCB) TCBRBP. It is in general poor form to use RBLINK rather than RBLINKB unless AMODE 24, but in your case you would know that the caller's RB is not waiting so the high byte will have a 0 wait count so can get away with using the 4-byte name. These days, the L/N/SRL has many better alternatives, such as LLC (of the 2nd byte of RBOPSW) / NILL (to clear the low 4 bits if for some reason you need to do so). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
No; the dispatcher gets the PSW from the top RB and the registers from the TCB. NB: where are the 12 new FP registers and the non-overlapping vector registers. The PSW at the time of entry is in the caller's RB and the registers at the time of entry are in the new RB. Thus it ever was. Out of curiosity, what are the fields for the GR top halves? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Steve Austin Sent: Wednesday, May 1, 2024 4:03 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc I believe the PSW will be in the PRB rather than the SVRB; the registers will be in the SVRB. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Erik Janssen Sent: Tuesday, April 30, 2024 6:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: finding callers key in svc I must be doing something wrong, because if I do that it indicates key 0. I was expecting key 9 somewhere... On Tue, 30 Apr 2024 08:50:13 -0500, Wayne Driscoll wrote: >If you are in a Type 2, 3 or 4 SVC, the PSW at the time of the SVC >instruction is in the SVRB whose address is in R5 upon entry, that is >the RBOPSW you would want to interrogate. Your code is looking at the >PSW at the time the callers RB was created, mostly via a LINK or ATTACH >SVC, since it was a problem program. >Wayne Driscoll >Note: all opinions are strictly my own. > >On Tue, Apr 30, 2024 at 4:02 AM Erik Janssen < >062c999269e8-dmarc-requ...@listserv.ua.edu> wrote: > >> >> > >> >As to the initial question, as pointed out, it depends on the type >> >of the >> SVC. The SVC owner knows what type it is (because they defined it) >> and can look in the right place for that type of SVC, just as they >> look in the right place for the caller's regs (for which the answer >> is different than the psw/key, but similarly depends on the type of the >> SVC. >> > >> >> >> I had the idea that this code in the SVC would give me the key the >> SVC caller was executing in: >> >> USING RBBASIC,R5 POINT TO REQUEST BLOCK >> L R7,RBLINK LOAD CALLER RB IN REG 7 >> DROP R5 DROP SVC RB MAPPING >> USING RBBASIC,R7 AND NOW MAP CALLER RB >> L R1,RBOPSW GET CALLER PSW AND PUT IN REG 1 >> N R1,=X'00F0' ONLY PSW KEY >> SRL R1,16 SHIFT TO 00K0 >> STR1,KEY STORE CALLER KEY >> DCH'0'FORCE ABEND >> >> However, when I call this SVC from an problem program the switches to >> key >> 9 before the call: >> >> SPKA X'90'(0) SWITCH TO KEY 9 >> SVC 255 >> >> I see that R1 has a value of x'0080' (key 8) at the time of the >> abend, where I was expecting x'0090'. >> Is see that it is possible that there are more request blocks. I'm I >> not looking at the right one, and if so, how do you know if you >> reached the top RB, or is my approach really wrong? >> >> Kind regards, >> >> Erik Janssen. >> >> - >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO >> IBM-MAIN >> > > >-- >Wayne Driscoll >Software Engineer | Mainframe Software Division Broadcom Software > >*Office: *630-300-1931* Mobile:* 630-247-1632 >wayne.drisc...@broadcom.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- This e-mail message has been scanned and cleared by Google Message Security and the UNICOM Global security systems. This message is for the named person's use only. If you receive this message in error, please delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
I took your advises to heart, started using RBLINKB instead of RBLINK. I wasn't aware I could use a label on a using and use that for reference. We have an existing SVC that reads from a given memory location and I want to secure it to use MVCDK and MVCSK, thus my need to find the caller's key. It is used by quite some application programs, so removing it is not an option on the short term unfortunately. The issue is in my test program that does the switch to key 9. The SPKA x'90'(0) instruction properly gets translated to a B20A 0090 and from the abend I can see in the psw that it does have key 9. The abend I get is a 0C4 abend, which surprised me, but I'm guessing it just cannot read the next instruction anymore since that is in key 8 storage? Or is there something else I'm missing. It I'm correct, how does one switch to another key and keep executing code? The code is: SVCNORM CSECT SVCNORM AMODE 31 SVCNORM RMODE ANY LR R12,R15 USING SVCNORM,R12 SPKA x'90'(0) DC H'0' Thank you all for your responses. Kind regards, Erik. On Wed, 1 May 2024 13:52:15 +, Seymour J Metz wrote: >Even on a S/360 that code is inefficient, but still valid. > > USING RBBASIC,R5 POINT TO REQUEST BLOCK > LR7,RBLINK LOAD CALLER RB IN REG 7 > DROP R5 DROP SVC RB MAPPING > USING RBBASIC,R7 AND NOW MAP CALLER RB > SR R1,R1 > ICR1,RBOPSWB2Key and flags > NR1,=XL4'F0' Isolate PSW KEY >*STR1,KEY STORE CALLER KEY > DCH'0'FORCE ABEND > >As a matter of style I would probably have written > > USING RBBASIC,R5 SVRB address set on entry > LR7,RBLINK CALLER's RB >CALLER USING RBBASIC,R7 > SR R1,R1 > ICR1,CALLER.RBOPSWB2Key and flags > NR1,=XL4'F0' Isolate PSW KEY >*STR1,KEY STORE CALLER KEY > DCH'0'FORCE ABEND > >I would take a closer look at the SPKA code. > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 >עַם יִשְׂרָאֵל חַי >נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > >________________ >From: IBM Mainframe Discussion List on behalf of >Peter Relson >Sent: Wednesday, May 1, 2024 8:55 AM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: finding callers key in svc > > > USING RBBASIC,R5 POINT TO REQUEST BLOCK > LR7,RBLINK LOAD CALLER RB IN REG 7 > DROP R5 DROP SVC RB MAPPING > USING RBBASIC,R7 AND NOW MAP CALLER RB > LR1,RBOPSW GET CALLER PSW AND PUT IN REG 1 > NR1,=X'00F0'ONLY PSW KEY > SRL R1,16 SHIFT TO 00K0 >*STR1,KEY STORE CALLER KEY > DCH'0'FORCE ABEND > > >If your SVC is a type 2/3/4 SVC, the code works. >I can't speak to how you are debugging or what you are seeing in a dump >because you have not shared any of that information. > >You could even try this without needing your own SVC by having your code in a >LINK target, at least to verify that you are seeing the PSW of the SVC issuer >(SVC 6 in the simplest LINK case). You wouldn't have R5 set on input but can >easily pick that up via (IHAPSA) PSATOLD -> (IKJTCB) TCBRBP. > >It is in general poor form to use RBLINK rather than RBLINKB unless AMODE 24, >but in your case you would know that the caller's RB is not waiting so the >high byte will have a 0 wait count so can get away with using the 4-byte name. > >These days, the L/N/SRL has many better alternatives, such as >LLC (of the 2nd byte of RBOPSW) / NILL (to clear the low 4 bits if for some >reason you need to do so). > >Peter Relson >z/OS Core Technology Design > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
I can see in the dump that my program is in subpool 251 and this is fetch protected, so it explains the abend I guess. SUBPOOL 251 KEY 08 OWNED BY TCB 008D2AA0 ADDRESS 2000 LENGTH 2000 FREE AREA 2000 LENGTH 00A8 Is there a way to force the program to go to subpool 244 for example, that is not fetch protected? I'm trying to create an easy test program that could simulate the situation where the svc is called from a cics task running in key 9 trying to access key 8 storage. That case would fail if I start using MVCSK en MVCDK, and perhaps I can add an ESTAE to do recovery in that scenario. First thing I would like to try is to create an ESTAE that would just WTO the 0C4 situation, for example 'task running in key xx tried to access storage in key yy' . The dump shows: IEA995I SYMPTOM DUMP OUTPUT 223 SYSTEM COMPLETION CODE=0C4 REASON CODE=0004 TIME=04.50.16 SEQ=00035 CPU= ASID=0029 PSW AT TIME OF ERROR 079D A0B0 ILC 2 INTC 04 ACTIVE MODULE ADDRESS=_20A8 OFFSET=0008 NAME=SVCNORM DATA AT PSW 20AA - B20A0090 1BFF 07FEC3C9 GR 0: 0064 1: 6FF8 2: 0040 3: 008DBD64 4: 008DBD40 5: 008FB058 6: 008C9FC8 7: 00FB5000 8: 008FD608 9: 008D2CB0 A: 01DAFB00 B: 0001 C: A0A8 D: 6F60 E: 80FD7B30 F: A0A8 Kind regards, Erik. > >The issue is in my test program that does the switch to key 9. >The SPKA x'90'(0) instruction properly gets translated to a B20A 0090 and from >the abend I can see in the psw that it does have key 9. >The abend I get is a 0C4 abend, which surprised me, but I'm guessing it just >cannot read the next instruction anymore since that is in key 8 storage? Or is >there something else I'm missing. >It I'm correct, how does one switch to another key and keep executing code? > >The code is: > >SVCNORM CSECT >SVCNORM AMODE 31 >SVCNORM RMODE ANY > LR R12,R15 > USING SVCNORM,R12 > SPKA x'90'(0) > DC H'0' > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
Use the ATTACHX macro with KEY=NINE to attach a key 9 subtask. That's what CICS does. Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. Poughkeepsie NY >Is there a way to force the program to go to subpool 244 for example, that is >not fetch protected? >I'm trying to create an easy test program that could simulate the situation >where the svc is called from a cics task running in key 9 trying to access key >8 storage. That case would fail if I start using MVCSK en MVCDK, and perhaps I >can add an ESTAE to do recovery in that scenario. First thing I >would like to try is to create an ESTAE that would just WTO the 0C4 situation, >for example 'task running in key xx tried to access storage in key yy' . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: finding callers key in svc
Please try to have different threads with suitable subjects for each. The 0C4 is unrelated to the subject. Since the code shown for the SVC routine is correct for type 2/3/4 yet you say that you do not find the right data, then prove it: Show the definition of the SVC, show extracts from IPCS looking at the dump storage. If you are blowing up at the instruction right after the SPKA to a different key, regardless of what that instruction was, then your program is in key 8 fetch-protected storage so unless your new key is 0, you will not be able to access the instruction. Requirements for placing a reentrant program into key 0 non-fetch-protected storage depend on authorization and various system-wide options, along with the possibility of doing an ATTACHX with the KEY=NINE parameter (which will place into key 0 storage without relying on authorization). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
