lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 8 Nov 2013 16:14:51 -0500
From: Stefan Arentz <stefan@...ement.sateh.com>
To: submit@...ec.org
Cc: bugtraq@...urityfocus.com
Subject: Re: Apple MacOSX 10.9 Hard Link Memory Corruption

On Thu, Nov 07, 2013 at 10:50:59PM +0000, submit@...ec.org wrote:

> mac-cxs-XK:pochd XK$ gcc -o test test.c
> mac-cxs-XK:pochd XK$ ls
> test	test.c
> mac-cxs-XK:pochd XK$ mkdir DIR1
> mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1
> link(3) return= -1
> mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2
> mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2
> link(3) return= 0
> mac-cxs-XK:pochd XK$ cd DIR1
> mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3
> mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3
> link(3) return= 0
> mac-cxs-XK:DIR1 XK$ cd DIR2
> mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4
> mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4
> link(3) return= -1

The first failing case is easily explained: directory hard links cannot have the same
parent. This is checked in hfs_link.c[1] in hfs_vnop_link(). Search for the following
comment:

	/* 
	 * All directory links must reside in an non-ARCHIVED hierarchy.
	 */
	if (v_type == VDIR) {
		/*
		 * - Source parent and destination parent cannot match
		 * - A link is not permitted in the root directory
		 * - Parent of 'pointed at' directory is not the root directory
		 * - The 'pointed at' directory (source) is not an ancestor
		 *   of the new directory hard link (destination).
		 * - No ancestor of the new directory hard link (destination) 
		 *   is a directory hard link.
		 */
		if ((parentcnid == tdcp->c_fileid) ||
		    (tdcp->c_fileid == kHFSRootFolderID) ||
		    (parentcnid == kHFSRootFolderID) ||
		    cat_check_link_ancestry(hfsmp, tdcp->c_fileid, cp->c_fileid)) {
			error = EPERM;  /* abide by the rules, you did not */
			goto out;
		}
	}

Does this also explain the last case?

 S.

[1] http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_link.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ