|
|
|
|
|
|
by lifthrasiir
809 days ago
|
|
|
The initial discoverer has briefly mentioned this (and any error here will be mine), but ifunc resolver here has been used to execute some code much earlier than everything else, because the resolver has to be called before the symbol gets resolved. So the resolver itself doesn't have to be put to the replaced function; the actual hooking instead happened in crc32_resolve etc. in the liblzma itself, which is justifiable by its own because ifunc is often used for performance-sensitive code. The resolver isn't always guaranteed to be called if the symbol itself doesn't get used, but sshd had a particular linker option that resolves all symbols during the dynamic linkage phase, so that resolver happened to be always called, and importantly, before `RSS_public_decrypt` could been resolved. So the resolver could tamper the subsequent dynamic loading process to replace that symbol. |
|
|