From:	MERC::"uunet!WKUVX1.BITNET!MacroMan" 27-MAR-1993 00:25:54.79
To:	MACRO32 <MACRO32@WKUVX1.BITNET>
CC:	
Subj:	FTS crashes VMS v5.4 (#2)

After I posted a code ditty to subvert a P1 system service vector, Bruce
R. Miller (MILLER@TGV.COM) announced that he was making available his FTS
program.  It sounded interesting, so I obtained a copy.  Running this on
a VMS version 5.4-2 system, I quickly (and much to my dismay) learned
that this program is a GRREEEATT system crasher!  Where's why!

SDA> SHOW STACK
Process stacks (on CPU 01)
--------------------------
Current operating stack (KERNEL):

                7FFE7744  7FEBF130
                :
                :
                7FFE7760  00020000      UCB$M_LCL_VALID

         SP =>  7FFE7764  00000000
                7FFE7768  00000000
                :
                :
                7FFE779C  000008F8      BUG$_GFX_INVTB+00008
        A ----> 7FFE77A0  00000005      ; NARGS
        C ----> 7FFE77A4  0000000C      ; ACCESS VIOLATION
        C ----> 7FFE77A8  00000000      ; REASON MASK (READ)
        V ----> 7FFE77AC  7FFEE800      ; THE VA
        I ----> 7FFE77B0  00007AE7      ; THE PC
        O ----> 7FFE77B4  08C20004      ; THE PSL
                :
                :
                7FFE77EC  7FEBEFFC
                7FFE77F0  7FEBEFE0
                7FFE77F4  803AF9E0      EXE$CMODKRNL+00080
                7FFE77F8  7FFEDE96      SYS$CMKRNL+00006
                7FFE77FC  03C00000

SDA> EXAM/INST 7AE7-30;30
00007AB7:  PUSHL   #00
00007AB9:  PUSHL   #0000000E
00007ABF:  PUSHL   #00
00007AC1:  PUSHL   #0000758E
00007AC7:  PUSHL   #00007586
00007ACD:  CALLS   #05,@#SYS$SETPRT
00007AD4:  BLBS    R0,00007ADA
00007AD7:  BRW     00007B6C
00007ADA:  MFPR    #12,R7
00007ADD:  MTPR    #02,#12
00007AE0:  MOVL    #7FFEDE00,R2
00007AE7:  MOVC3   #0C00,(R2),(R6)

SDA> SHOW PROCESS/PAGE_TABLE P1SYSVECTORS;0C00
Process index: 00A4   Name:  7 VAX Man 7    Extended PID: 202010A4
------------------------------------------------------------------
Process page table
------------------
         ADDRESS     SVAPTE    PTE       TYPE  PROT  BITS PAGTYP    LOC

        7FFEDE00    8234B9BC F400242B    VALID URKW M L K PROCESS ACTIVE
        7FFEE000    8234B9C0 F400C7A4    VALID URKW M L K PROCESS ACTIVE
        7FFEE200    8234B9C4 F400090A    VALID URKW M L K PROCESS ACTIVE
        7FFEE400    8234B9C8 F4002B63    VALID URKW M L K PROCESS ACTIVE
        7FFEE600    8234B9CC F4005AB3    VALID URKW M L K PROCESS ACTIVE

        -------- 2 NULL PAGES

---
The above segment of code corresponds with the following excerpt from
FTS: JASMON.MAR   (Starting at label 30$)

;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;       Replace the P1 system service vector
;---------------------------------------------------------------------

.entry JASMON_replace_P1_vector,^m<R2,R3,R4,R5,R6,R7>

        ; Allocate new pages in P1 space to hold old vector
        MOVL    4(AP),R0                        ; Get database address
        MOVL    #SSV_Length+1024,R1     ; Space for old vect + 512 on sides
        jsb     g^exe$alop1proc         ; Attempt allocation
        blbs    r0,10$                  ; If failed exit error
        BRW     110$                    ;
10$:    ADDL3   #512,R2,R6              ; Start of data area
        MOVL    4(AP),R2                ; Get database address
        MOVL    R6,j_data_orig(R2)      ; Save pointer to saved vector
        MOVL    R6,OldVA                ; set starting VA
        ADDL3   #SSV_Length-1,R6,OldVA+4; set starting VA

        ; Lock the new pages.
        PUSHL   #PSL$C_KERNEL           ; map kmode pages
        PUSHL   #NewVA                  ;  ...
        PUSHL   #OldVA                  ; onto P1 sys vectors
        CALLS   #3,G^SYS$LKWSET         ; do it
        blbs    r0,30$                  ; If failed exit error
        BRW     100$                    ;

30$:    ; Fixup the page protection (make 'em look real)
        PUSHL   #0
        PUSHL   #PRT$C_URKW             ; User read, kernel write
        PUSHL   #PSL$C_KERNEL           ; map kmode pages
        PUSHL   #NewVA                  ;  ...
        PUSHL   #OldVA                  ; onto P1 sys vectors
        CALLS   #5,G^SYS$SETPRT
        blbs    r0,40$                  ; If failed exit error
        BRW     100$                    ;

        ; Synch
40$:    DSBINT  IPL=#IPL$_ASTDEL, DST=R7, ENVIRON=UNIPROCESSOR

        ; Copy original SS vectors to storage buffer
        MOVL    #P1SYSVECTORS,R2
--->    MOVC3   #SSV_Length,(R2),(r6)           ; Copy (kills R1-R5)


The access violation stemmed from uninitialized vector pages of the S0 vector
table not being mapped in the P1 table.  The value of SSV_Length caused the
MOVC3 instruction to attempt a read into a VA page with no access.

        ACCESS VIOLATION + KERNEL MODE => Real fast system shutdown :-(

A better method might be to calculate the length of the P1 vector table in-
conjunction with the use the IFNORD macro (PROBER instruction), testing each
page be copied for read access.

Turns out,  there are 5 pages above P1SYSVECTORS in V5.4-(1,2,3).  V5.5 has
6 pages above this base.  Thus, the code did not fail for those running 5.5.
since the value of SSV_Length (%x0C00) covers only 6 pages.

Bruce does provide a caveat/disclaimer when the program is run... and I
did expect to crash the system.  I just didn't think it would be so easy
to do and so easy to figure out! :-(

BJS- /Brian Schenkenberger/Schenkenberg@Eisner.DECUS.Org/Space for Rent/
    /VMS Software Support/Vitronics, Inc./Eatontown, NJ/(908) 542-0600/
   /Independent Consult./Tmesis Consulting/Jackson, NJ/(908) 363-7551/
  /<VAXman or Schenkenberger>@Monmouth-ETDL1.Army.Mil/CIS: 70253,114/