On Thu, Feb 23, 2017 at 10:40:48AM -0800, Linus Torvalds wrote: > > Generate a regular commit object; use the entire commit object + NUL as the > > chosen prefix, and use the identical-prefix collision attack to generate > > the colliding good/bad objects. > > So I agree with you that we need to make git check for the opaque > data. I think I was the one who brought that whole argument up. We do already. > But even then, what you describe doesn't work. What you describe just > replaces the opaque data - that git doesn't actually *use*, and that > nobody sees - with another piece of opaque data. > > You also need to make the non-opaque data of the bad object be > something that actually encodes valid git data with interesting hashes > in it (for the parent/tree/whatever pointers). > > So you don't have just that "chosen prefix". You actually need to also > fill in some very specific piece of data *in* the attack parts itself. > And you need to do this in the exact same size (because that's part of > the prefix), etc etc. It's not an identical prefix, but I think collision attacks generally are along the lines of selecting two prefixes followed by garbage, and then mutating the garbage on both sides. That would "work" in this case (modulo the fact that git would complain about the NUL). I haven't read the paper yet to see if that is the case here, though. A related case is if you could stick a "cruft ...." header at the end of the commit headers, and mutate its value (avoiding newlines). fsck doesn't complain about that. -Peff