[pups] Issues of AUUGN

Dave Horsfall dave at horsfall.org
Wed Oct 4 20:22:24 AEST 2006 

On Wed, 4 Oct 2006, Johnny Billquist wrote:

> > There was a clever assembly program that did it; it relied upon the 
> > instruction counter wrapping around (I can't remember in which 
> > direction, or whether it first relocated itself).  Anyone, it managed 
> > to fill memory with SPLs, so the next instruction after overwriting 
> > its last instruction was SPL, and for the foreseeable future after 
> > that...
> 
> It would have to wrap forwards. Basically, if you just have a
> 
> 	MOV	(PC)+,(R0)+
> 	SPL	#7

Yes, that's it!  Except it was SPL 0; not that it made any difference, but 
it was just as devastating in user mode.

Damn; I'm still trying to visualise how it works...  It took me ages, the 
first time I saw it; I *think* it propagates the MOV throughout memory, 
leaving a trail of SPLs behind it?

> and make sure that the rest of the memory don't do anything overly 
> foolish, [...]

Not a problem in user mode?

> However, another way of achieving this, if you have some kind of control 
> of the MMU is to just fill one page with SPLs, and then remap all of 
> your memory to be that page. The last page you remap is just the page 
> that holds all the code doing the setup.

But you'd need kernel mode for that; this is a DoS attack (one of the 
first?) launched by a user.

> > If I find the article I'll post it here; I don't think there are too 
> > many 11/70s still in public operation.
> 
> Well, ours is occasionally. It's off at the moment, since we're not 
> allowed to consume that much money anymore, but Magica.Update.UU.SE is 
> just a key turn away from being online.

Cool :-)

> > I'll remember that, should I ever see an emulator :-)  I still 
> > remember Ian Johnstone cursing me...
> 
> :-)

It was two words: "YOU XXXX!" (an indelicate term for a part of the female 
anatomy) followed by the phone being slammed down...

> Oh, that would be having the HALT switch down and pressing the START 
> switch, by the way. That combination will trigger a Unibus reset, and 
> will bring the CPU out of almost all catatonic states that I've seen, 
> including serious bus problems.

Interesting.  I knew the HALT switch didn't halt the box right away; bus 
transfers still completed so we were taught to W/PROT the RK-05s *after* 
hitting HALT, but I didn't know it worked in combination.

-- Dave

More information about the TUHS mailing list