COMMAND

    kernel (locore.o)

SYSTEMS AFFECTED

    SunOS 4.1.*, sun4c architecture

PROBLEM

    Executing a ta  0xff (trap_mon) instruction  leaves the cpu  in an
    inconsistent state.

    Local users can cause a watchdog reset, or bad instruction  kernel
    panic.

    This is believed only to affect the sun4c architecture.

    All  traps  in  the  trap  vector  table,  apart from the trap_mon
    trap, set register %l6  to 7 before branching  to sys_trap.  7  is
    believed  to  be  the  number  of  register  windows for the sun4c
    architecture (allowing  for window  overlap), and  is required  by
    sys_trap.

    trap_mon  performs  a  check  on  the processor state register, to
    ensure it  is running  in supervisor  mode.   If this  is not  the
    case, a branch to sys_trap is executed to handle the error.

    Therefore if we perform a ta  0xff from user mode, we will  branch
    to sys_trap with an unknown  value in %l6.  This  can subsequently
    cause an illegal instruction panic, or a window underflow watchdog
    reset.

SOLUTION

	Looking at locore.o, this is the current trap vector entry for  ta
    0xff:

	0xff0:          a1480000        = rd            %psr, %l0
	0xff4:          108004cb        = ba            trap_mon
	0xff8:          a81020ff        = mov           0xff, %l4
	0xffc:          1000000         = nop

    Utilising  the  free  nop  instruction,  we  can patch locore.o to
    set register %l6 to 7:

	0xff0:          a1480000        = rd            %psr, %l0
	0xff4:          a81020ff        = mov           0xff, %l4
	0xff8:          108004ca        = ba            trap_mon
	0xffc:          ac102007        = mov           0x7, %l6

	A new kernel must then be built.

    This patch  has run  successfully for  several months  on a  SunOS
    4.1.3_U1 machine.  However,  this patch comes with  no guarantees,
    and must be used at your own risk.