On Wed, Dec 04, 2002 at 12:52:22AM +0100, der Mouse wrote:
> > The sole purpose of this identifier is to ensure that ld.so does not
> > mistake one legitimate .so file for another.  Deliberate attempts to
> > generate hash collisions are beyond the scope; this is not a security
> > function, we simply want reasonable assurance that the prebinder will
> > not hand you the symbols for the wrong shared object file because
> > they happened to have the same unique identifier computed from their
> > contents and stamped into them.
> 
> I must be missing something.  How is it not a security problem if you
> get the symbols that go with a .so file of the attacker's choice rather
> than the ones that go with the .so you wanted to use?  At the very
> least, it sounds like a trivial DoS to me, and probably worse
> (consider, for example, arranging to have strncpy resolve to strcpy's
> code)....

Deliberate collisions are MUCH easier to generate that random
collisions are likely - ie is you are creating both items.

ISTM that you could make the 'prebind' information an exectuable
(in its own right) - giving it the name of the program.

Also if you aren't going to check the hash, an errant party
could easily generate a file with the wrong value...

(is this worse that someone with root access putting in
an errant shared library?)


	David

-- 
David Laight: david@l8s.co.uk