User-supplied addresses for protected control blocks
A potential integrity exposure exists whenever the control program
(system key/privileged mode) accepts the address of a protected system
control block from the user. For most system control blocks, this
situation should not be permitted to exist. However, in certain cases
it is necessary to allow the user to provide the address of a system
control block that describes his allocation/access to a particular
resource (for example, a data set), in order to identify that resource
from a group of similar resources (for example, an user might have
many data sets allocated). Inadequate validity checking in this situation
can create an integrity exposure, because an unauthorized problem
program could provide its own (counterfeit) control block in place
of the system block and thereby gain the ability to:
- Access a resource in an uncontrolled manner (because the control block in this case would normally define the restrictions, such as read-only for a data set, on the user's allocation to the resource).
- Gain control in an authorized state (because such control blocks might contain the addresses of routines that run in supervisor state with PSW key 0-7.
- Cause various other problems depending on exactly what data is in the control block involved.
To avoid this type of exposure, the control program must verify,
for every such address accepted from a problem program, that the address
is that of:
- A protected control block created by the control program.
- The correct type of control program block (for example, a TCB versus a DEB, or a QSAM DEB versus an ISAM DEB).
- A control block created for use in connection with the user (job step) that supplied the address.
In the system, verification is generally accomplished by establishing
a chain or table of the particular type of control block to be validated.
This chain or table is located via a protected and jobstep-related
control block that is known to be valid. Addresses that are not allowed
to be supplied by the user, are located via a chain of protected control
blocks that begins with a control block known to be valid or fixed
at a known location at IPL time, such as the CVT. Therefore, a control
block can only be entered in the chain/table by:
- An authorized program satisfying point 1.
- Definition, where the chain/table establishes the type of control block satisfying point 2.
- Definition, where each chain/table is located only through a jobstep-related control block satisfying point 3.
Note: This does not imply that a system routine must go
back to the CVT or similar control block every time it wants to establish
a valid chain. Typically, a control block address not too far down
on such a chain is available and already validated in a register.