macOS: block partitioned disk alias bypass

On macOS, the same whole disk can be addressed as both /dev/diskN and /dev/rdiskN. The GUI creation wizard only compared the selected path against the enumerated raw device path, so manually entering the block-device alias could bypass the existing DEVICE_PARTITIONS_ERR guard and allow formatting a disk that still had partitions. Add a shared macOS device-path comparison helper that normalizes paths to their raw-device form before comparison. Use it in the GUI wizard so /dev/diskN and /dev/rdiskN are treated as the same whole-disk target while partition paths remain distinct. Apply the same partitioned whole-device guard in the text/CLI creation path as well, including the macOS alias normalization, so command-line creation cannot format a partitioned top-level disk through an alternate device alias. Fixes #728
2026-06-17 01:56:10 -05:00 · 2026-05-29 18:32:32 +09:00
parent c8f0efde99
commit 610feb4c28
3 changed files with 33 additions and 1 deletions
@@ -1044,7 +1044,12 @@ namespace VeraCrypt

 						foreach_ref (const HostDevice &drive, Core->GetHostDevices())
 						{
-							if (drive.Path == SelectedVolumePath && !drive.Partitions.empty())
+							bool selectedWholeDevice = drive.Path == SelectedVolumePath;
+#ifdef TC_MACOSX
+							selectedWholeDevice = selectedWholeDevice
+								|| IsSameMacOSXDevicePath (string (drive.Path), string (SelectedVolumePath));
+#endif
+							if (selectedWholeDevice && !drive.Partitions.empty())
 							{
 								foreach_ref (const HostDevice &partition, drive.Partitions)
 								{
@@ -61,6 +61,11 @@ namespace VeraCrypt
 		return deviceIdentifier;
 	}

+	inline bool IsSameMacOSXDevicePath (const string &firstDeviceIdentifier, const string &secondDeviceIdentifier)
+	{
+		return GetMacOSXRawDevicePath (firstDeviceIdentifier) == GetMacOSXRawDevicePath (secondDeviceIdentifier);
+	}
+
 	inline string GetMacOSXFormatterName (const string &fsFormatter)
 	{
 		size_t namePos = fsFormatter.find_last_of ('/');
@@ -684,6 +684,28 @@ namespace VeraCrypt
 			} while (options->Path.IsEmpty());
 		}

+		if (options->Path.IsDevice())
+		{
+			foreach_ref (const HostDevice &drive, Core->GetHostDevices())
+			{
+				bool selectedWholeDevice = drive.Path == options->Path;
+#ifdef TC_MACOSX
+				selectedWholeDevice = selectedWholeDevice
+					|| IsSameMacOSXDevicePath (string (drive.Path), string (options->Path));
+#endif
+				if (selectedWholeDevice && !drive.Partitions.empty())
+				{
+					foreach_ref (const HostDevice &partition, drive.Partitions)
+					{
+						if (partition.MountPoint == "/")
+							throw_err (LangString["LINUX_ERROR_TRY_ENCRYPT_SYSTEM_DRIVE"]);
+					}
+
+					throw_err (LangString["DEVICE_PARTITIONS_ERR"]);
+				}
+			}
+		}
+
 		// Sector size
 		if (options->Path.IsDevice())
 			options->SectorSize = Core->GetDeviceSectorSize (options->Path);