Subject: Re: RelCache (aka ELF prebinding) news
To: None <tech-kern@netbsd.org, tech-userlevel@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 12/04/2002 00:52:22
> The sole purpose of this identifier is to ensure that ld.so does not
> mistake one legitimate .so file for another.  Deliberate attempts to
> generate hash collisions are beyond the scope; this is not a security
> function, we simply want reasonable assurance that the prebinder will
> not hand you the symbols for the wrong shared object file because
> they happened to have the same unique identifier computed from their
> contents and stamped into them.

I must be missing something.  How is it not a security problem if you
get the symbols that go with a .so file of the attacker's choice rather
than the ones that go with the .so you wanted to use?  At the very
least, it sounds like a trivial DoS to me, and probably worse
(consider, for example, arranging to have strncpy resolve to strcpy's
code)....

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B