The role of IFUNC in the xz backdoor

A crucial element of the xz backdoor was using IFUNC, along with a dynamic linker audit hook, to replace a cryptographic function used by sshd credentials validation. If, like me, you had not heard of IFUNC before, it is a gibc feature that allows a program to choose (or “resolve”) a function implementation at runtime. A typical use case is providing optimised implementations for specific system configurations.

What I have not been able to understand from what I have read is how was it possible for the attacker to exploit this feature in this way. Is it expected that a dynamically loaded library can replace the address of a function from another library? Shouldn’t IFUNC disallow this kind of usage? It seems like an overly powerful feature that is easy to misuse.