NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit537cbd3

committed

Prevent privilege escalation in explicit calls to PL validators.

The primary role of PL validators is to be called implicitly duringCREATE FUNCTION, but they are also normal functions that a user can callexplicitly. Add a permissions check to each validator to ensure that auser cannot use explicit validator calls to achieve things he could nototherwise achieve. Back-patch to 8.4 (all supported versions).Non-core procedural language extensions ought to make the same two-linechange to their own validators.Andres Freund, reviewed by Tom Lane and Noah Misch.Security:CVE-2014-0061

1 parentfea164a commit537cbd3Copy full SHA for 537cbd3

File tree

8 files changed

+109

-2

lines changed

doc/src/sgml
- plhandler.sgml
src
- backend
  - catalog
    - pg_proc.c
  - commands
    - functioncmds.c
  - utils/fmgr
    - fmgr.c
- include
  - fmgr.h
- pl
  - plperl
    - plperl.c
  - plpgsql/src
    - pl_handler.c
  - plpython
    - plpy_main.c

8 files changed

+109

-2

lines changed

`‎doc/src/sgml/plhandler.sgml`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,10 @@ CREATE LANGUAGE plsample`
`178`	`178`	`or updated a function written in the procedural language.`
`179`	`179`	`The passed-in OID is the OID of the function's <classname>pg_proc</>`
`180`	`180`	`row. The validator must fetch this row in the usual way, and do`
`181`		`- whatever checking is appropriate. Typical checks include verifying`
	`181`	`+ whatever checking is appropriate.`
	`182`	`+ First, call <function>CheckFunctionValidatorAccess()</> to diagnose`
	`183`	`+ explicit calls to the validator that the user could not achieve through`
	`184`	`+ <command>CREATE FUNCTION</>. Typical checks then include verifying`
`182`	`185`	`that the function's argument and result types are supported by the`
`183`	`186`	`language, and that the function's body is syntactically correct`
`184`	`187`	`in the language. If the validator finds the function to be okay,`

`‎src/backend/catalog/pg_proc.c`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -723,6 +723,9 @@ fmgr_internal_validator(PG_FUNCTION_ARGS)`
`723`	`723`	`Datumtmp;`
`724`	`724`	`char*prosrc;`
`725`	`725`
	`726`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`727`	`+PG_RETURN_VOID();`
	`728`	`+`
`726`	`729`	`/*`
`727`	`730`	`* We do not honor check_function_bodies since it's unlikely the function`
`728`	`731`	`* name will be found later if it isn't there now.`
`@@ -768,6 +771,9 @@ fmgr_c_validator(PG_FUNCTION_ARGS)`
`768`	`771`	`char*prosrc;`
`769`	`772`	`char*probin;`
`770`	`773`
	`774`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`775`	`+PG_RETURN_VOID();`
	`776`	`+`
`771`	`777`	`/*`
`772`	`778`	`* It'd be most consistent to skip the check if !check_function_bodies,`
`773`	`779`	`* but the purpose of that switch is to be helpful for pg_dump loading,`
`@@ -819,6 +825,9 @@ fmgr_sql_validator(PG_FUNCTION_ARGS)`
`819`	`825`	`boolhaspolyarg;`
`820`	`826`	`inti;`
`821`	`827`
	`828`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`829`	`+PG_RETURN_VOID();`
	`830`	`+`
`822`	`831`	`tuple=SearchSysCache1(PROCOID,ObjectIdGetDatum(funcoid));`
`823`	`832`	`if (!HeapTupleIsValid(tuple))`
`824`	`833`	`elog(ERROR,"cache lookup failed for function %u",funcoid);`

`‎src/backend/commands/functioncmds.c`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1017,7 +1017,6 @@ CreateFunction(CreateFunctionStmt stmt, const char queryString)`
`1017`	`1017`	`prorows);`
`1018`	`1018`	`}`
`1019`	`1019`
`1020`		`-`
`1021`	`1020`	`/*`
`1022`	`1021`	`* Guts of function deletion.`
`1023`	`1022`	`*`

`‎src/backend/utils/fmgr/fmgr.c`

Lines changed: 84 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`#include"miscadmin.h"`
`25`	`25`	`#include"nodes/nodeFuncs.h"`
`26`	`26`	`#include"pgstat.h"`
	`27`	`+#include"utils/acl.h"`
`27`	`28`	`#include"utils/builtins.h"`
`28`	`29`	`#include"utils/fmgrtab.h"`
`29`	`30`	`#include"utils/guc.h"`
`@@ -2468,3 +2469,86 @@ get_fn_expr_variadic(FmgrInfo *flinfo)`
`2468`	`2469`	`else`
`2469`	`2470`	`return false;`
`2470`	`2471`	`}`
	`2472`	`+`
	`2473`	`+/*-------------------------------------------------------------------------`
	`2474`	`+ *Support routines for procedural language implementations`
	`2475`	`+ *-------------------------------------------------------------------------`
	`2476`	`+ */`
	`2477`	`+`
	`2478`	`+/*`
	`2479`	`+ * Verify that a validator is actually associated with the language of a`
	`2480`	`+ * particular function and that the user has access to both the language and`
	`2481`	`+ * the function. All validators should call this before doing anything`
	`2482`	`+ * substantial. Doing so ensures a user cannot achieve anything with explicit`
	`2483`	`+ * calls to validators that he could not achieve with CREATE FUNCTION or by`
	`2484`	`+ * simply calling an existing function.`
	`2485`	`+ *`
	`2486`	`+ * When this function returns false, callers should skip all validation work`
	`2487`	`+ * and call PG_RETURN_VOID(). This never happens at present; it is reserved`
	`2488`	`+ * for future expansion.`
	`2489`	`+ *`
	`2490`	`+ * In particular, checking that the validator corresponds to the function's`
	`2491`	`+ * language allows untrusted language validators to assume they process only`
	`2492`	`+ * superuser-chosen source code. (Untrusted language call handlers, by`
	`2493`	`+ * definition, do assume that.) A user lacking the USAGE language privilege`
	`2494`	`+ * would be unable to reach the validator through CREATE FUNCTION, so we check`
	`2495`	`+ * that to block explicit calls as well. Checking the EXECUTE privilege on`
	`2496`	`+ * the function is often superfluous, because most users can clone the`
	`2497`	`+ * function to get an executable copy. It is meaningful against users with no`
	`2498`	`+ * database TEMP right and no permanent schema CREATE right, thereby unable to`
	`2499`	`+ * create any function. Also, if the function tracks persistent state by`
	`2500`	`+ * function OID or name, validating the original function might permit more`
	`2501`	`+ * mischief than creating and validating a clone thereof.`
	`2502`	`+ */`
	`2503`	`+bool`
	`2504`	`+CheckFunctionValidatorAccess(OidvalidatorOid,OidfunctionOid)`
	`2505`	`+{`
	`2506`	`+HeapTupleprocTup;`
	`2507`	`+HeapTuplelangTup;`
	`2508`	`+Form_pg_procprocStruct;`
	`2509`	`+Form_pg_languagelangStruct;`
	`2510`	`+AclResultaclresult;`
	`2511`	`+`
	`2512`	`+/* Get the function's pg_proc entry */`
	`2513`	`+procTup=SearchSysCache1(PROCOID,ObjectIdGetDatum(functionOid));`
	`2514`	`+if (!HeapTupleIsValid(procTup))`
	`2515`	`+elog(ERROR,"cache lookup failed for function %u",functionOid);`
	`2516`	`+procStruct= (Form_pg_proc)GETSTRUCT(procTup);`
	`2517`	`+`
	`2518`	`+/*`
	`2519`	`+ * Fetch pg_language entry to know if this is the correct validation`
	`2520`	`+ * function for that pg_proc entry.`
	`2521`	`+ */`
	`2522`	`+langTup=SearchSysCache1(LANGOID,ObjectIdGetDatum(procStruct->prolang));`
	`2523`	`+if (!HeapTupleIsValid(langTup))`
	`2524`	`+elog(ERROR,"cache lookup failed for language %u",procStruct->prolang);`
	`2525`	`+langStruct= (Form_pg_language)GETSTRUCT(langTup);`
	`2526`	`+`
	`2527`	`+if (langStruct->lanvalidator!=validatorOid)`
	`2528`	`+ereport(ERROR,`
	`2529`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`2530`	`+errmsg("language validation function %u called for language %u instead of %u",`
	`2531`	`+validatorOid,procStruct->prolang,`
	`2532`	`+langStruct->lanvalidator)));`
	`2533`	`+`
	`2534`	`+/* first validate that we have permissions to use the language */`
	`2535`	`+aclresult=pg_language_aclcheck(procStruct->prolang,GetUserId(),`
	`2536`	`+ACL_USAGE);`
	`2537`	`+if (aclresult!=ACLCHECK_OK)`
	`2538`	`+aclcheck_error(aclresult,ACL_KIND_LANGUAGE,`
	`2539`	`+NameStr(langStruct->lanname));`
	`2540`	`+`
	`2541`	`+/*`
	`2542`	`+ * Check whether we are allowed to execute the function itself. If we can`
	`2543`	`+ * execute it, there should be no possible side-effect of`
	`2544`	`+ * compiling/validation that execution can't have.`
	`2545`	`+ */`
	`2546`	`+aclresult=pg_proc_aclcheck(functionOid,GetUserId(),ACL_EXECUTE);`
	`2547`	`+if (aclresult!=ACLCHECK_OK)`
	`2548`	`+aclcheck_error(aclresult,ACL_KIND_PROC,NameStr(procStruct->proname));`
	`2549`	`+`
	`2550`	`+ReleaseSysCache(procTup);`
	`2551`	`+ReleaseSysCache(langTup);`
	`2552`	`+`
	`2553`	`+return true;`
	`2554`	`+}`

`‎src/include/fmgr.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -629,6 +629,7 @@ extern Oidget_call_expr_argtype(fmNodePtr expr, int argnum);`
`629`	`629`	`externboolget_fn_expr_arg_stable(FmgrInfo*flinfo,intargnum);`
`630`	`630`	`externboolget_call_expr_arg_stable(fmNodePtrexpr,intargnum);`
`631`	`631`	`externboolget_fn_expr_variadic(FmgrInfo*flinfo);`
	`632`	`+externboolCheckFunctionValidatorAccess(OidvalidatorOid,OidfunctionOid);`
`632`	`633`
`633`	`634`	`/*`
`634`	`635`	`* Routines in dfmgr.c`

`‎src/pl/plperl/plperl.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1883,6 +1883,9 @@ plperl_validator(PG_FUNCTION_ARGS)`
`1883`	`1883`	`boolis_event_trigger= false;`
`1884`	`1884`	`inti;`
`1885`	`1885`
	`1886`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`1887`	`+PG_RETURN_VOID();`
	`1888`	`+`
`1886`	`1889`	`/* Get the new function's pg_proc entry */`
`1887`	`1890`	`tuple=SearchSysCache1(PROCOID,ObjectIdGetDatum(funcoid));`
`1888`	`1891`	`if (!HeapTupleIsValid(tuple))`
`@@ -1964,6 +1967,7 @@ PG_FUNCTION_INFO_V1(plperlu_validator);`
`1964`	`1967`	`Datum`
`1965`	`1968`	`plperlu_validator(PG_FUNCTION_ARGS)`
`1966`	`1969`	`{`
	`1970`	`+/* call plperl validator with our fcinfo so it gets our oid */`
`1967`	`1971`	`returnplperl_validator(fcinfo);`
`1968`	`1972`	`}`
`1969`	`1973`

`‎src/pl/plpgsql/src/pl_handler.c`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -290,6 +290,9 @@ plpgsql_validator(PG_FUNCTION_ARGS)`
`290`	`290`	`boolis_event_trigger= false;`
`291`	`291`	`inti;`
`292`	`292`
	`293`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`294`	`+PG_RETURN_VOID();`
	`295`	`+`
`293`	`296`	`/* Get the new function's pg_proc entry */`
`294`	`297`	`tuple=SearchSysCache1(PROCOID,ObjectIdGetDatum(funcoid));`
`295`	`298`	`if (!HeapTupleIsValid(tuple))`

`‎src/pl/plpython/plpy_main.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -160,6 +160,9 @@ plpython_validator(PG_FUNCTION_ARGS)`
`160`	`160`	`Form_pg_procprocStruct;`
`161`	`161`	`boolis_trigger;`
`162`	`162`
	`163`	`+if (!CheckFunctionValidatorAccess(fcinfo->flinfo->fn_oid,funcoid))`
	`164`	`+PG_RETURN_VOID();`
	`165`	`+`
`163`	`166`	`if (!check_function_bodies)`
`164`	`167`	`{`
`165`	`168`	`PG_RETURN_VOID();`
`@@ -185,6 +188,7 @@ plpython_validator(PG_FUNCTION_ARGS)`
`185`	`188`	`Datum`
`186`	`189`	`plpython2_validator(PG_FUNCTION_ARGS)`
`187`	`190`	`{`
	`191`	`+/* call plpython validator with our fcinfo so it gets our oid */`
`188`	`192`	`returnplpython_validator(fcinfo);`
`189`	`193`	`}`
`190`	`194`	`#endif/* PY_MAJOR_VERSION < 3 */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit537cbd3

File tree

8 files changed

8 files changed

`‎doc/src/sgml/plhandler.sgml`

`‎src/backend/catalog/pg_proc.c`

`‎src/backend/commands/functioncmds.c`

`‎src/backend/utils/fmgr/fmgr.c`

`‎src/include/fmgr.h`

`‎src/pl/plperl/plperl.c`

`‎src/pl/plpgsql/src/pl_handler.c`

`‎src/pl/plpython/plpy_main.c`

0 commit comments