From: Diomidis Spinellis <dds@aueb.gr>
To: Noel Chiappa <jnc@mercury.lcs.mit.edu>, tuhs@minnie.tuhs.org
Subject: Re: [TUHS] Accessing the PDP-11/70 MMU registers and the kernel's u area
Date: Sun, 14 Jun 2020 19:13:08 +0300 [thread overview]
Message-ID: <6d0060c0-f577-9402-5e9a-e3fdc5cb25ea@aueb.gr> (raw)
In-Reply-To: <20200614144643.E4BBF18C09D@mercury.lcs.mit.edu>
On 14-Jun-20 17:46, Noel Chiappa wrote:
> I don't know about 2.11, but in other PDP-11 Unixes, /dev/mem gives access to
> the actual CPU memory bus (which on a /34, etc, is the 18-bit address UNIBUS;
> on a /70 it's a separate 22-bit address bus). In the /70 memory address
> space, the 'I/O page' (which is where the PxR's live) is at the top end of it,
> i.e. the registers are at 017772360 (KDSAR0), etc.
Indeed, fetching data from the I/O page region gives plausible values
and everything works beautifully. Thank you!
The value of the kernel's u is 0140000 so it begins exactly at the start
of the memory mapped by kernel D-space PAR #6
sim> examine 17772374
17772374: 016226
Offset of u_uid in struct user is 0242, so its physical memory address is:
016226 * 0100 + 0242 = 01623042
sim> examine 1623042
1623042: 000145
sim> examine 1623044
1623044: 000145
sim> examine 1623046
1623046: 000145
This indeed matches my uid (0145) repeated for svuid and ruid.
Even better (and this was my original proof of concept goal), setting
those addresses to 0 provides root access.
$ id
uid=101(dds) gid=101 groups=101, 0(wheel)
$ while : ; do : ; done
Simulation stopped, PC: 040214 (BNE 40232)
sim> deposit 1623042 0
sim> deposit 1623044 0
sim> deposit 1623046 0
sim> cont
$ id
uid=0(root) gid=101 groups=101, 0(wheel)
One remaining puzzle is why doesn't this work when examining the
kernel's virtual address. I would expect to see again my user id below.
sim> examine -v -k -d -o 140242
140242: 000026
Diomidis
next prev parent reply other threads:[~2020-06-14 16:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-14 14:46 Noel Chiappa
2020-06-14 15:52 ` Warner Losh
2020-06-14 16:13 ` Diomidis Spinellis [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-06-14 8:33 Diomidis Spinellis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d0060c0-f577-9402-5e9a-e3fdc5cb25ea@aueb.gr \
--to=dds@aueb.gr \
--cc=jnc@mercury.lcs.mit.edu \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).