mirror of
https://github.com/veracrypt/VeraCrypt.git
synced 2026-06-21 03:55:02 -05:00
damianrickard
575262a104
The privileged CoreService handler for SetFileOwnerRequest passed the client-supplied path straight to chown() as root with no validation -- unlike the adjacent APFS formatter handler, which strictly validates its device argument. Every legitimate macOS caller of the elevated SetFileOwner targets a real disk device node (/dev/[r]diskN[sM]), so a crafted IPC request, or a symlink planted at the target, could otherwise make the root process change ownership of an arbitrary path. Validate the target service-side: require the strict device-path form already used by the formatter, and lstat() it to confirm a block or character device (rejecting symlinks rather than following them) before the chown. Co-authored-by: Damian Rickard <damian@rickard.us>