From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27631 invoked from network); 14 Jun 2020 16:13:46 -0000 Received: from minnie.tuhs.org (45.79.103.53) by inbox.vuxu.org with ESMTPUTF8; 14 Jun 2020 16:13:46 -0000 Received: by minnie.tuhs.org (Postfix, from userid 112) id 4E7309C24D; Mon, 15 Jun 2020 02:13:34 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 0F1359C1C8; Mon, 15 Jun 2020 02:13:13 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (2048-bit key; unprotected) header.d=aueb.gr header.i=@aueb.gr header.b="LMAiKx4g"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 4F6D59C1C8; Mon, 15 Jun 2020 02:13:10 +1000 (AEST) Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by minnie.tuhs.org (Postfix) with ESMTP id 2F942945D9 for ; Mon, 15 Jun 2020 02:13:09 +1000 (AEST) Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id 57EC2A6F; Sun, 14 Jun 2020 19:13:07 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1592151187; bh=F3Lu/muBsKZa0iEzcmkXrQv1lShwS6RSlWKd0+zZyA8=; h=Subject:To:References:From:Date:In-Reply-To:From; b=LMAiKx4grZTLugaU1QVP3KlqzD3PKvGlNbgcxKcpun/K/Av3WEn3EquRu2wFIEaxh 3xBIvqBEHYVQMSjaLvtNv9gGVIHjq4E6JSnTVEbqeCKdTBx+3vyhdIIy3Z0SOtzaH9 r6gR0YilsKfcPkqGUkm89mfnYrDi/ADarMRN37xzhJutyYcDVibFWZXVLOFFSBcou9 DEReEgKNaIYQV/ssMWcAJ9rxOUteKH6wa7MX1zjVlwBhHXzpjEqPZsJhIGvZcBslUj hrTqDIIEQZbamru70aM13hh2y/JQEPFs3UTMNtoT+D36JEjtTB7VDj8z4P3rgNCI1U KPc8XWjbILgNw== Received: from [192.168.136.3] (ppp-94-66-137-11.home.otenet.gr [94.66.137.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dds) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id F199859F; Sun, 14 Jun 2020 19:13:06 +0300 (EEST) To: Noel Chiappa , tuhs@minnie.tuhs.org References: <20200614144643.E4BBF18C09D@mercury.lcs.mit.edu> From: Diomidis Spinellis Phone: +30 210 8203621 Message-ID: <6d0060c0-f577-9402-5e9a-e3fdc5cb25ea@aueb.gr> Date: Sun, 14 Jun 2020 19:13:08 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <20200614144643.E4BBF18C09D@mercury.lcs.mit.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: el Content-Transfer-Encoding: 7bit Subject: Re: [TUHS] Accessing the PDP-11/70 MMU registers and the kernel's u area X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On 14-Jun-20 17:46, Noel Chiappa wrote: > I don't know about 2.11, but in other PDP-11 Unixes, /dev/mem gives access to > the actual CPU memory bus (which on a /34, etc, is the 18-bit address UNIBUS; > on a /70 it's a separate 22-bit address bus). In the /70 memory address > space, the 'I/O page' (which is where the PxR's live) is at the top end of it, > i.e. the registers are at 017772360 (KDSAR0), etc. Indeed, fetching data from the I/O page region gives plausible values and everything works beautifully. Thank you! The value of the kernel's u is 0140000 so it begins exactly at the start of the memory mapped by kernel D-space PAR #6 sim> examine 17772374 17772374: 016226 Offset of u_uid in struct user is 0242, so its physical memory address is: 016226 * 0100 + 0242 = 01623042 sim> examine 1623042 1623042: 000145 sim> examine 1623044 1623044: 000145 sim> examine 1623046 1623046: 000145 This indeed matches my uid (0145) repeated for svuid and ruid. Even better (and this was my original proof of concept goal), setting those addresses to 0 provides root access. $ id uid=101(dds) gid=101 groups=101, 0(wheel) $ while : ; do : ; done Simulation stopped, PC: 040214 (BNE 40232) sim> deposit 1623042 0 sim> deposit 1623044 0 sim> deposit 1623046 0 sim> cont $ id uid=0(root) gid=101 groups=101, 0(wheel) One remaining puzzle is why doesn't this work when examining the kernel's virtual address. I would expect to see again my user id below. sim> examine -v -k -d -o 140242 140242: 000026 Diomidis