NotificationsYou must be signed in to change notification settings
Fork5.2k
Star19k

Commit7e86da5

committed

Fix security checks in selectivity estimation functions.

Commite2d4ef8 (the fix forCVE-2017-7484) added security checksto the selectivity estimation functions to prevent them from runninguser-supplied operators on data obtained from pg_statistic if the userlacks privileges to select from the underlying table. In casesinvolving inheritance/partitioning, those checks were originallyperformed against the child RTE (which for plain inheritance mightactually refer to the parent table). Commit553d2ec then extendedthat to also check the parent RTE, allowing access if the user hadpermissions on either the parent or the child. It turns out, however,that doing any checks using the child RTE is incorrect, sincesecurityQuals is set to NULL when creating an RTE for an inheritancechild (whether it refers to the parent table or the child table), andtherefore such checks do not correctly account for any RLS policies orsecurity barrier views. Therefore, do the security checks using onlythe parent RTE. This is consistent with how RLS policies are applied,and the executor's ACL checks, both of which use only the parenttable's permissions/policies. Similar checks are performed in theextended stats code, so update that in the same way, centralizing allthe checks in a new function.In addition, note that these checks by themselves are insufficient toensure that the user has access to the table's data because, in aquery that goes via a view, they only check that the view owner haspermissions on the underlying table, not that the current user haspermissions on the view itself. In the selectivity estimationfunctions, there is no easy way to navigate from underlying tables toviews, so add permissions checks for all views mentioned in the queryto the planner startup code. If the user lacks permissions on a view,a permissions error will now be reported at planner-startup, and theselectivity estimation functions will not be run.Checking view permissions at planner-startup in this way is a littleugly, since the same checks will be repeated at executor-startup.Longer-term, it might be better to move all the permissions checksfrom the executor to the planner so that permissions errors can bereported sooner, instead of creating a plan that won't ever be run.However, such a change seems too far-reaching to be back-patched.Back-patch to all supported versions. In v13, there is the addedcomplication that UPDATEs and DELETEs on inherited target tables areplanned using inheritance_planner(), which plans each inheritancechild table separately, so that the selectivity estimation functionsdo not know that they are dealing with a child table accessed via itsparent. Handle that by checking access permissions on the top parenttable at planner-startup, in the same way as we do for views. AnysecurityQuals on the top parent table are moved down to the childtables by inheritance_planner(), so they continue to be checked by theselectivity estimation functions.Author: Dean Rasheed <dean.a.rasheed@gmail.com>Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Reviewed-by: Noah Misch <noah@leadboat.com>Backpatch-through: 13Security:CVE-2025-8713

1 parent94c0673 commit7e86da5Copy full SHA for 7e86da5

File tree

12 files changed

+569

-288

lines changed

src
- backend
  - executor
    - execMain.c
  - optimizer/plan
    - planner.c
  - statistics
    - extended_stats.c
  - utils/adt
    - selfuncs.c
- include
  - executor
    - executor.h
  - utils
    - selfuncs.h
- test/regress
  - expected
  - sql

12 files changed

+569

-288

lines changed

`‎src/backend/executor/execMain.c‎`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,6 @@ static void ExecutePlan(QueryDesc *queryDesc,`
`89`	`89`	`uint64numberTuples,`
`90`	`90`	`ScanDirectiondirection,`
`91`	`91`	`DestReceiver*dest);`
`92`		`-staticboolExecCheckOneRelPerms(RTEPermissionInfo*perminfo);`
`93`	`92`	`staticboolExecCheckPermissionsModified(OidrelOid,Oiduserid,`
`94`	`93`	`Bitmapset*modifiedCols,`
`95`	`94`	`AclModerequiredPerms);`
`@@ -635,7 +634,7 @@ ExecCheckPermissions(List rangeTable, List rteperminfos,`
`635`	`634`	`* ExecCheckOneRelPerms`
`636`	`635`	`*Check access permissions for a single relation.`
`637`	`636`	`*/`
`638`		`-staticbool`
	`637`	`+bool`
`639`	`638`	`ExecCheckOneRelPerms(RTEPermissionInfo*perminfo)`
`640`	`639`	`{`
`641`	`640`	`AclModerequiredPerms;`

`‎src/backend/optimizer/plan/planner.c‎`

Lines changed: 33 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@`
`63`	`63`	`#include"partitioning/partdesc.h"`
`64`	`64`	`#include"rewrite/rewriteManip.h"`
`65`	`65`	`#include"storage/dsm_impl.h"`
	`66`	`+#include"utils/acl.h"`
`66`	`67`	`#include"utils/lsyscache.h"`
`67`	`68`	`#include"utils/rel.h"`
`68`	`69`	`#include"utils/selfuncs.h"`
`@@ -788,6 +789,38 @@ subquery_planner(PlannerGlobal glob, Query parse,`
`788`	`789`	`bms_make_singleton(parse->resultRelation);`
`789`	`790`	`}`
`790`	`791`
	`792`	`+/*`
	`793`	`+ * This would be a convenient time to check access permissions for all`
	`794`	`+ * relations mentioned in the query, since it would be better to fail now,`
	`795`	`+ * before doing any detailed planning. However, for historical reasons,`
	`796`	`+ * we leave this to be done at executor startup.`
	`797`	`+ *`
	`798`	`+ * Note, however, that we do need to check access permissions for any view`
	`799`	`+ * relations mentioned in the query, in order to prevent information being`
	`800`	`+ * leaked by selectivity estimation functions, which only check view owner`
	`801`	`+ * permissions on underlying tables (see all_rows_selectable() and its`
	`802`	`+ * callers). This is a little ugly, because it means that access`
	`803`	`+ * permissions for views will be checked twice, which is another reason`
	`804`	`+ * why it would be better to do all the ACL checks here.`
	`805`	`+ */`
	`806`	`+foreach(l,parse->rtable)`
	`807`	`+{`
	`808`	`+RangeTblEntry*rte=lfirst_node(RangeTblEntry,l);`
	`809`	`+`
	`810`	`+if (rte->perminfoindex!=0&&`
	`811`	`+rte->relkind==RELKIND_VIEW)`
	`812`	`+{`
	`813`	`+RTEPermissionInfo*perminfo;`
	`814`	`+boolresult;`
	`815`	`+`
	`816`	`+perminfo=getRTEPermissionInfo(parse->rteperminfos,rte);`
	`817`	`+result=ExecCheckOneRelPerms(perminfo);`
	`818`	`+if (!result)`
	`819`	`+aclcheck_error(ACLCHECK_NO_PRIV,OBJECT_VIEW,`
	`820`	`+get_rel_name(perminfo->relid));`
	`821`	`+}`
	`822`	`+}`
	`823`	`+`
`791`	`824`	`/*`
`792`	`825`	`* Preprocess RowMark information. We need to do this after subquery`
`793`	`826`	`* pullup, so that all base relations are present.`

`‎src/backend/statistics/extended_stats.c‎`

Lines changed: 44 additions & 64 deletions

Original file line number	Diff line number	Diff line change
`@@ -1344,14 +1344,17 @@ choose_best_statistics(List *stats, char requiredkind, bool inh,`
`1344`	`1344`	`*so we can't cope with system columns.`
`1345`	`1345`	`* *exprs: input/output parameter collecting primitive subclauses within`
`1346`	`1346`	`*the clause tree`
	`1347`	`+ * *leakproof: input/output parameter recording the leakproofness of the`
	`1348`	`+ *clause tree. This should be true initially, and will be set to false`
	`1349`	`+ *if any operator function used in an OpExpr is not leakproof.`
`1347`	`1350`	`*`
`1348`	`1351`	`* Returns false if there is something we definitively can't handle.`
`1349`	`1352`	`* On true return, we can proceed to match the *exprs against statistics.`
`1350`	`1353`	`*/`
`1351`	`1354`	`staticbool`
`1352`	`1355`	`statext_is_compatible_clause_internal(PlannerInforoot,Nodeclause,`
`1353`	`1356`	`Indexrelid,Bitmapset**attnums,`
`1354`		`-List**exprs)`
	`1357`	`+List*exprs,boolleakproof)`
`1355`	`1358`	`{`
`1356`	`1359`	`/* Look inside any binary-compatible relabeling (as in examine_variable) */`
`1357`	`1360`	`if (IsA(clause,RelabelType))`
`@@ -1386,7 +1389,6 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1386`	`1389`	`/* (Var/Expr op Const) or (Const op Var/Expr) */`
`1387`	`1390`	`if (is_opclause(clause))`
`1388`	`1391`	`{`
`1389`		`-RangeTblEntry*rte=root->simple_rte_array[relid];`
`1390`	`1392`	`OpExprexpr= (OpExpr)clause;`
`1391`	`1393`	`Node*clause_expr;`
`1392`	`1394`
`@@ -1421,24 +1423,15 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1421`	`1423`	`return false;`
`1422`	`1424`	`}`
`1423`	`1425`
`1424`		`-/*`
`1425`		`- * If there are any securityQuals on the RTE from security barrier`
`1426`		`- * views or RLS policies, then the user may not have access to all the`
`1427`		`- * table's data, and we must check that the operator is leak-proof.`
`1428`		`- *`
`1429`		`- * If the operator is leaky, then we must ignore this clause for the`
`1430`		`- * purposes of estimating with MCV lists, otherwise the operator might`
`1431`		`- * reveal values from the MCV list that the user doesn't have`
`1432`		`- * permission to see.`
`1433`		`- */`
`1434`		`-if (rte->securityQuals!=NIL&&`
`1435`		`-!get_func_leakproof(get_opcode(expr->opno)))`
`1436`		`-return false;`
	`1426`	`+/* Check if the operator is leakproof */`
	`1427`	`+if (*leakproof)`
	`1428`	`+*leakproof=get_func_leakproof(get_opcode(expr->opno));`
`1437`	`1429`
`1438`	`1430`	`/* Check (Var op Const) or (Const op Var) clauses by recursing. */`
`1439`	`1431`	`if (IsA(clause_expr,Var))`
`1440`	`1432`	`returnstatext_is_compatible_clause_internal(root,clause_expr,`
`1441`		`-relid,attnums,exprs);`
	`1433`	`+relid,attnums,`
	`1434`	`+exprs,leakproof);`
`1442`	`1435`
`1443`	`1436`	`/* Otherwise we have (Expr op Const) or (Const op Expr). */`
`1444`	`1437`	`exprs=lappend(exprs,clause_expr);`
`@@ -1448,7 +1441,6 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1448`	`1441`	`/* Var/Expr IN Array */`
`1449`	`1442`	`if (IsA(clause,ScalarArrayOpExpr))`
`1450`	`1443`	`{`
`1451`		`-RangeTblEntry*rte=root->simple_rte_array[relid];`
`1452`	`1444`	`ScalarArrayOpExprexpr= (ScalarArrayOpExpr)clause;`
`1453`	`1445`	`Node*clause_expr;`
`1454`	`1446`	`boolexpronleft;`
`@@ -1488,24 +1480,15 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1488`	`1480`	`return false;`
`1489`	`1481`	`}`
`1490`	`1482`
`1491`		`-/*`
`1492`		`- * If there are any securityQuals on the RTE from security barrier`
`1493`		`- * views or RLS policies, then the user may not have access to all the`
`1494`		`- * table's data, and we must check that the operator is leak-proof.`
`1495`		`- *`
`1496`		`- * If the operator is leaky, then we must ignore this clause for the`
`1497`		`- * purposes of estimating with MCV lists, otherwise the operator might`
`1498`		`- * reveal values from the MCV list that the user doesn't have`
`1499`		`- * permission to see.`
`1500`		`- */`
`1501`		`-if (rte->securityQuals!=NIL&&`
`1502`		`-!get_func_leakproof(get_opcode(expr->opno)))`
`1503`		`-return false;`
	`1483`	`+/* Check if the operator is leakproof */`
	`1484`	`+if (*leakproof)`
	`1485`	`+*leakproof=get_func_leakproof(get_opcode(expr->opno));`
`1504`	`1486`
`1505`	`1487`	`/* Check Var IN Array clauses by recursing. */`
`1506`	`1488`	`if (IsA(clause_expr,Var))`
`1507`	`1489`	`returnstatext_is_compatible_clause_internal(root,clause_expr,`
`1508`		`-relid,attnums,exprs);`
	`1490`	`+relid,attnums,`
	`1491`	`+exprs,leakproof);`
`1509`	`1492`
`1510`	`1493`	`/* Otherwise we have Expr IN Array. */`
`1511`	`1494`	`exprs=lappend(exprs,clause_expr);`
`@@ -1542,7 +1525,8 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1542`	`1525`	`*/`
`1543`	`1526`	`if (!statext_is_compatible_clause_internal(root,`
`1544`	`1527`	`(Node*)lfirst(lc),`
`1545`		`-relid,attnums,exprs))`
	`1528`	`+relid,attnums,exprs,`
	`1529`	`+leakproof))`
`1546`	`1530`	`return false;`
`1547`	`1531`	`}`
`1548`	`1532`
`@@ -1556,8 +1540,10 @@ statext_is_compatible_clause_internal(PlannerInfo root, Node clause,`
`1556`	`1540`
`1557`	`1541`	`/* Check Var IS NULL clauses by recursing. */`
`1558`	`1542`	`if (IsA(nt->arg,Var))`
`1559`		`-returnstatext_is_compatible_clause_internal(root, (Node*) (nt->arg),`
`1560`		`-relid,attnums,exprs);`
	`1543`	`+returnstatext_is_compatible_clause_internal(root,`
	`1544`	`+ (Node*) (nt->arg),`
	`1545`	`+relid,attnums,`
	`1546`	`+exprs,leakproof);`
`1561`	`1547`
`1562`	`1548`	`/* Otherwise we have Expr IS NULL. */`
`1563`	`1549`	`exprs=lappend(exprs,nt->arg);`
`@@ -1596,11 +1582,9 @@ static bool`
`1596`	`1582`	`statext_is_compatible_clause(PlannerInforoot,Nodeclause,Indexrelid,`
`1597`	`1583`	`Bitmapsetattnums,Listexprs)`
`1598`	`1584`	`{`
`1599`		`-RangeTblEntry*rte=root->simple_rte_array[relid];`
`1600`		`-RelOptInfo*rel=root->simple_rel_array[relid];`
`1601`	`1585`	`RestrictInfo*rinfo;`
`1602`	`1586`	`intclause_relid;`
`1603`		`-Oiduserid;`
	`1587`	`+boolleakproof;`
`1604`	`1588`
`1605`	`1589`	`/*`
`1606`	`1590`	`* Special-case handling for bare BoolExpr AND clauses, because the`
`@@ -1640,18 +1624,31 @@ statext_is_compatible_clause(PlannerInfo root, Node clause, Index relid,`
`1640`	`1624`	`clause_relid!=relid)`
`1641`	`1625`	`return false;`
`1642`	`1626`
`1643`		`-/* Check the clause and determine what attributes it references. */`
	`1627`	`+/*`
	`1628`	`+ * Check the clause, determine what attributes it references, and whether`
	`1629`	`+ * it includes any non-leakproof operators.`
	`1630`	`+ */`
	`1631`	`+leakproof= true;`
`1644`	`1632`	`if (!statext_is_compatible_clause_internal(root, (Node*)rinfo->clause,`
`1645`		`-relid,attnums,exprs))`
	`1633`	`+relid,attnums,exprs,`
	`1634`	`+&leakproof))`
`1646`	`1635`	`return false;`
`1647`	`1636`
`1648`	`1637`	`/*`
`1649`		`- * Check that the user has permission to read all required attributes.`
	`1638`	`+ * If the clause includes any non-leakproof operators, check that the user`
	`1639`	`+ * has permission to read all required attributes, otherwise the operators`
	`1640`	`+ * might reveal values from the MCV list that the user doesn't have`
	`1641`	`+ * permission to see. We require all rows to be selectable --- there must`
	`1642`	`+ * be no securityQuals from security barrier views or RLS policies. See`
	`1643`	`+ * similar code in examine_variable(), examine_simple_variable(), and`
	`1644`	`+ * statistic_proc_security_check().`
	`1645`	`+ *`
	`1646`	`+ * Note that for an inheritance child, the permission checks are performed`
	`1647`	`+ * on the inheritance root parent, and whole-table select privilege on the`
	`1648`	`+ * parent doesn't guarantee that the user could read all columns of the`
	`1649`	`+ * child. Therefore we must check all referenced columns.`
`1650`	`1650`	`*/`
`1651`		`-userid=OidIsValid(rel->userid) ?rel->userid :GetUserId();`
`1652`		`-`
`1653`		`-/* Table-level SELECT privilege is sufficient for all columns */`
`1654`		`-if (pg_class_aclcheck(rte->relid,userid,ACL_SELECT)!=ACLCHECK_OK)`
	`1651`	`+if (!leakproof)`
`1655`	`1652`	`{`
`1656`	`1653`	`Bitmapset*clause_attnums=NULL;`
`1657`	`1654`	`intattnum=-1;`
`@@ -1676,26 +1673,9 @@ statext_is_compatible_clause(PlannerInfo root, Node clause, Index relid,`
`1676`	`1673`	`if (*exprs!=NIL)`
`1677`	`1674`	`pull_varattnos((Node)exprs,relid,&clause_attnums);`
`1678`	`1675`
`1679`		`-attnum=-1;`
`1680`		`-while ((attnum=bms_next_member(clause_attnums,attnum)) >=0)`
`1681`		`-{`
`1682`		`-/* Undo the offset */`
`1683`		`-AttrNumberattno=attnum+FirstLowInvalidHeapAttributeNumber;`
`1684`		`-`
`1685`		`-if (attno==InvalidAttrNumber)`
`1686`		`-{`
`1687`		`-/* Whole-row reference, so must have access to all columns */`
`1688`		`-if (pg_attribute_aclcheck_all(rte->relid,userid,ACL_SELECT,`
`1689`		`-ACLMASK_ALL)!=ACLCHECK_OK)`
`1690`		`-return false;`
`1691`		`-}`
`1692`		`-else`
`1693`		`-{`
`1694`		`-if (pg_attribute_aclcheck(rte->relid,attno,userid,`
`1695`		`-ACL_SELECT)!=ACLCHECK_OK)`
`1696`		`-return false;`
`1697`		`-}`
`1698`		`-}`
	`1676`	`+/* Must have permission to read all rows from these columns */`
	`1677`	`+if (!all_rows_selectable(root,relid,clause_attnums))`
	`1678`	`+return false;`
`1699`	`1679`	`}`
`1700`	`1680`
`1701`	`1681`	`/* If we reach here, the clause is OK */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7e86da5

File tree

12 files changed

12 files changed

`‎src/backend/executor/execMain.c‎`

`‎src/backend/optimizer/plan/planner.c‎`

`‎src/backend/statistics/extended_stats.c‎`

0 commit comments