Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2485a85

Browse files
Fix privilege checks in pg_stats_ext and pg_stats_ext_exprs.
The catalog view pg_stats_ext fails to consider privileges forexpression statistics. The catalog view pg_stats_ext_exprs failsto consider privileges and row-level security policies. To fix,restrict the data in these views to table owners or roles thatinherit privileges of the table owner. It may be possible to applyless restrictive privilege checks in some cases, but that is leftas a future exercise. Furthermore, for pg_stats_ext_exprs, do notreturn data for tables with row-level security enabled, as isalready done for pg_stats_ext.On the back-branches, a fix-CVE-2024-4317.sql script is providedthat will install into the "share" directory. This file can beused to apply the fix to existing clusters.Bumps catversion on 'master' branch only.Reported-by: Lukas FittlReviewed-by: Noah Misch, Tomas Vondra, Tom LaneSecurity:CVE-2024-4317Backpatch-through: 14
1 parent3855bf9 commit2485a85

File tree

9 files changed

+200
-17
lines changed

9 files changed

+200
-17
lines changed

‎doc/src/sgml/catalogs.sgml‎

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7733,8 +7733,7 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
77337733
is a publicly readable view
77347734
on <structname>pg_statistic_ext_data</structname> (after joining
77357735
with <link linkend="catalog-pg-statistic-ext"><structname>pg_statistic_ext</structname></link>) that only exposes
7736-
information about those tables and columns that are readable by the
7737-
current user.
7736+
information about tables the current user owns.
77387737
</para>
77397738

77407739
<table>

‎doc/src/sgml/system-views.sgml‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3823,7 +3823,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
38233823
and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
38243824
catalogs. This view allows access only to rows of
38253825
<link linkend="catalog-pg-statistic-ext"><structname>pg_statistic_ext</structname></link> and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
3826-
that correspond to tables the userhas permission to read, and therefore
3826+
that correspond to tables the userowns, and therefore
38273827
it is safe to allow public read access to this view.
38283828
</para>
38293829

@@ -4034,7 +4034,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
40344034
and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
40354035
catalogs. This view allows access only to rows of
40364036
<link linkend="catalog-pg-statistic-ext"><structname>pg_statistic_ext</structname></link> and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
4037-
that correspond to tables the userhas permission to read, and therefore
4037+
that correspond to tables the userowns, and therefore
40384038
it is safe to allow public read access to this view.
40394039
</para>
40404040

‎src/backend/catalog/Makefile‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,13 +130,14 @@ install-data: bki-stamp installdirs
130130
$(INSTALL_DATA)$(srcdir)/system_views.sql'$(DESTDIR)$(datadir)/system_views.sql'
131131
$(INSTALL_DATA)$(srcdir)/information_schema.sql'$(DESTDIR)$(datadir)/information_schema.sql'
132132
$(INSTALL_DATA)$(srcdir)/sql_features.txt'$(DESTDIR)$(datadir)/sql_features.txt'
133+
$(INSTALL_DATA)$(srcdir)/fix-CVE-2024-4317.sql'$(DESTDIR)$(datadir)/fix-CVE-2024-4317.sql'
133134

134135
installdirs:
135136
$(MKDIR_P)'$(DESTDIR)$(datadir)'
136137

137138
.PHONY: uninstall-data
138139
uninstall-data:
139-
rm -f$(addprefix '$(DESTDIR)$(datadir)'/, postgres.bki system_constraints.sql system_functions.sql system_views.sql information_schema.sql sql_features.txt)
140+
rm -f$(addprefix '$(DESTDIR)$(datadir)'/, postgres.bki system_constraints.sql system_functions.sql system_views.sql information_schema.sql sql_features.txt fix-CVE-2024-4317.sql)
140141

141142
# postgres.bki, system_constraints.sql, and the generated headers are
142143
# in the distribution tarball, so they are not cleaned here.
Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
/*
2+
* fix-CVE-2024-4317.sql
3+
*
4+
* Copyright (c) 2024, PostgreSQL Global Development Group
5+
*
6+
* src/backend/catalog/fix-CVE-2024-4317.sql
7+
*
8+
* This file should be run in every database in the cluster to address
9+
* CVE-2024-4317.
10+
*/
11+
12+
SET search_path= pg_catalog;
13+
14+
CREATE OR REPLACEVIEWpg_stats_ext WITH (security_barrier)AS
15+
SELECTcn.nspnameAS schemaname,
16+
c.relnameAS tablename,
17+
sn.nspnameAS statistics_schemaname,
18+
s.stxnameAS statistics_name,
19+
pg_get_userbyid(s.stxowner)AS statistics_owner,
20+
(SELECT array_agg(a.attnameORDER BYa.attnum)
21+
FROM unnest(s.stxkeys) k
22+
JOIN pg_attribute a
23+
ON (a.attrelid=s.stxrelidANDa.attnum= k)
24+
)AS attnames,
25+
pg_get_statisticsobjdef_expressions(s.oid)as exprs,
26+
s.stxkindAS kinds,
27+
sd.stxdinheritAS inherited,
28+
sd.stxdndistinctAS n_distinct,
29+
sd.stxddependenciesAS dependencies,
30+
m.most_common_vals,
31+
m.most_common_val_nulls,
32+
m.most_common_freqs,
33+
m.most_common_base_freqs
34+
FROM pg_statistic_ext sJOIN pg_class cON (c.oid=s.stxrelid)
35+
JOIN pg_statistic_ext_data sdON (s.oid=sd.stxoid)
36+
LEFT JOIN pg_namespace cnON (cn.oid=c.relnamespace)
37+
LEFT JOIN pg_namespace snON (sn.oid=s.stxnamespace)
38+
LEFT JOIN LATERAL
39+
(SELECT array_agg(values)AS most_common_vals,
40+
array_agg(nulls)AS most_common_val_nulls,
41+
array_agg(frequency)AS most_common_freqs,
42+
array_agg(base_frequency)AS most_common_base_freqs
43+
FROM pg_mcv_list_items(sd.stxdmcv)
44+
) mONsd.stxdmcvIS NOT NULL
45+
WHERE pg_has_role(c.relowner,'USAGE')
46+
AND (c.relrowsecurity= falseOR NOT row_security_active(c.oid));
47+
48+
CREATE OR REPLACEVIEWpg_stats_ext_exprs WITH (security_barrier)AS
49+
SELECTcn.nspnameAS schemaname,
50+
c.relnameAS tablename,
51+
sn.nspnameAS statistics_schemaname,
52+
s.stxnameAS statistics_name,
53+
pg_get_userbyid(s.stxowner)AS statistics_owner,
54+
stat.expr,
55+
sd.stxdinheritAS inherited,
56+
(stat.a).stanullfracAS null_frac,
57+
(stat.a).stawidthAS avg_width,
58+
(stat.a).stadistinctAS n_distinct,
59+
(CASE
60+
WHEN (stat.a).stakind1=1 THEN (stat.a).stavalues1
61+
WHEN (stat.a).stakind2=1 THEN (stat.a).stavalues2
62+
WHEN (stat.a).stakind3=1 THEN (stat.a).stavalues3
63+
WHEN (stat.a).stakind4=1 THEN (stat.a).stavalues4
64+
WHEN (stat.a).stakind5=1 THEN (stat.a).stavalues5
65+
END)AS most_common_vals,
66+
(CASE
67+
WHEN (stat.a).stakind1=1 THEN (stat.a).stanumbers1
68+
WHEN (stat.a).stakind2=1 THEN (stat.a).stanumbers2
69+
WHEN (stat.a).stakind3=1 THEN (stat.a).stanumbers3
70+
WHEN (stat.a).stakind4=1 THEN (stat.a).stanumbers4
71+
WHEN (stat.a).stakind5=1 THEN (stat.a).stanumbers5
72+
END)AS most_common_freqs,
73+
(CASE
74+
WHEN (stat.a).stakind1=2 THEN (stat.a).stavalues1
75+
WHEN (stat.a).stakind2=2 THEN (stat.a).stavalues2
76+
WHEN (stat.a).stakind3=2 THEN (stat.a).stavalues3
77+
WHEN (stat.a).stakind4=2 THEN (stat.a).stavalues4
78+
WHEN (stat.a).stakind5=2 THEN (stat.a).stavalues5
79+
END)AS histogram_bounds,
80+
(CASE
81+
WHEN (stat.a).stakind1=3 THEN (stat.a).stanumbers1[1]
82+
WHEN (stat.a).stakind2=3 THEN (stat.a).stanumbers2[1]
83+
WHEN (stat.a).stakind3=3 THEN (stat.a).stanumbers3[1]
84+
WHEN (stat.a).stakind4=3 THEN (stat.a).stanumbers4[1]
85+
WHEN (stat.a).stakind5=3 THEN (stat.a).stanumbers5[1]
86+
END) correlation,
87+
(CASE
88+
WHEN (stat.a).stakind1=4 THEN (stat.a).stavalues1
89+
WHEN (stat.a).stakind2=4 THEN (stat.a).stavalues2
90+
WHEN (stat.a).stakind3=4 THEN (stat.a).stavalues3
91+
WHEN (stat.a).stakind4=4 THEN (stat.a).stavalues4
92+
WHEN (stat.a).stakind5=4 THEN (stat.a).stavalues5
93+
END)AS most_common_elems,
94+
(CASE
95+
WHEN (stat.a).stakind1=4 THEN (stat.a).stanumbers1
96+
WHEN (stat.a).stakind2=4 THEN (stat.a).stanumbers2
97+
WHEN (stat.a).stakind3=4 THEN (stat.a).stanumbers3
98+
WHEN (stat.a).stakind4=4 THEN (stat.a).stanumbers4
99+
WHEN (stat.a).stakind5=4 THEN (stat.a).stanumbers5
100+
END)AS most_common_elem_freqs,
101+
(CASE
102+
WHEN (stat.a).stakind1=5 THEN (stat.a).stanumbers1
103+
WHEN (stat.a).stakind2=5 THEN (stat.a).stanumbers2
104+
WHEN (stat.a).stakind3=5 THEN (stat.a).stanumbers3
105+
WHEN (stat.a).stakind4=5 THEN (stat.a).stanumbers4
106+
WHEN (stat.a).stakind5=5 THEN (stat.a).stanumbers5
107+
END)AS elem_count_histogram
108+
FROM pg_statistic_ext sJOIN pg_class cON (c.oid=s.stxrelid)
109+
LEFT JOIN pg_statistic_ext_data sdON (s.oid=sd.stxoid)
110+
LEFT JOIN pg_namespace cnON (cn.oid=c.relnamespace)
111+
LEFT JOIN pg_namespace snON (sn.oid=s.stxnamespace)
112+
JOIN LATERAL (
113+
SELECT unnest(pg_get_statisticsobjdef_expressions(s.oid))AS expr,
114+
unnest(sd.stxdexpr)::pg_statisticAS a
115+
) statON (stat.exprIS NOT NULL)
116+
WHERE pg_has_role(c.relowner,'USAGE')
117+
AND (c.relrowsecurity= falseOR NOT row_security_active(c.oid));

‎src/backend/catalog/meson.build‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ backend_sources += files(
3838

3939

4040
install_data(
41+
'fix-CVE-2024-4317.sql',
4142
'information_schema.sql',
4243
'sql_features.txt',
4344
'system_functions.sql',

‎src/backend/catalog/system_views.sql‎

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -284,12 +284,7 @@ CREATE VIEW pg_stats_ext WITH (security_barrier) AS
284284
array_agg(base_frequency)AS most_common_base_freqs
285285
FROM pg_mcv_list_items(sd.stxdmcv)
286286
) mONsd.stxdmcvIS NOT NULL
287-
WHERE NOT EXISTS
288-
(SELECT1
289-
FROM unnest(stxkeys) k
290-
JOIN pg_attribute a
291-
ON (a.attrelid=s.stxrelidANDa.attnum= k)
292-
WHERE NOT has_column_privilege(c.oid,a.attnum,'select') )
287+
WHERE pg_has_role(c.relowner,'USAGE')
293288
AND (c.relrowsecurity= falseOR NOT row_security_active(c.oid));
294289

295290
CREATEVIEWpg_stats_ext_exprs WITH (security_barrier)AS
@@ -359,7 +354,9 @@ CREATE VIEW pg_stats_ext_exprs WITH (security_barrier) AS
359354
JOIN LATERAL (
360355
SELECT unnest(pg_get_statisticsobjdef_expressions(s.oid))AS expr,
361356
unnest(sd.stxdexpr)::pg_statisticAS a
362-
) statON (stat.exprIS NOT NULL);
357+
) statON (stat.exprIS NOT NULL)
358+
WHERE pg_has_role(c.relowner,'USAGE')
359+
AND (c.relrowsecurity= falseOR NOT row_security_active(c.oid));
363360

364361
-- unprivileged users may read pg_statistic_ext but not pg_statistic_ext_data
365362
REVOKE ALLON pg_statistic_ext_dataFROM public;

‎src/test/regress/expected/rules.out‎

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2497,10 +2497,7 @@ pg_stats_ext| SELECT cn.nspname AS schemaname,
24972497
array_agg(pg_mcv_list_items.frequency) AS most_common_freqs,
24982498
array_agg(pg_mcv_list_items.base_frequency) AS most_common_base_freqs
24992499
FROM pg_mcv_list_items(sd.stxdmcv) pg_mcv_list_items(index, "values", nulls, frequency, base_frequency)) m ON ((sd.stxdmcv IS NOT NULL)))
2500-
WHERE ((NOT (EXISTS ( SELECT 1
2501-
FROM (unnest(s.stxkeys) k(k)
2502-
JOIN pg_attribute a ON (((a.attrelid = s.stxrelid) AND (a.attnum = k.k))))
2503-
WHERE (NOT has_column_privilege(c.oid, a.attnum, 'select'::text))))) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid))));
2500+
WHERE (pg_has_role(c.relowner, 'USAGE'::text) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid))));
25042501
pg_stats_ext_exprs| SELECT cn.nspname AS schemaname,
25052502
c.relname AS tablename,
25062503
sn.nspname AS statistics_schemaname,
@@ -2573,7 +2570,8 @@ pg_stats_ext_exprs| SELECT cn.nspname AS schemaname,
25732570
LEFT JOIN pg_namespace cn ON ((cn.oid = c.relnamespace)))
25742571
LEFT JOIN pg_namespace sn ON ((sn.oid = s.stxnamespace)))
25752572
JOIN LATERAL ( SELECT unnest(pg_get_statisticsobjdef_expressions(s.oid)) AS expr,
2576-
unnest(sd.stxdexpr) AS a) stat ON ((stat.expr IS NOT NULL)));
2573+
unnest(sd.stxdexpr) AS a) stat ON ((stat.expr IS NOT NULL)))
2574+
WHERE (pg_has_role(c.relowner, 'USAGE'::text) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid))));
25772575
pg_tables| SELECT n.nspname AS schemaname,
25782576
c.relname AS tablename,
25792577
pg_get_userbyid(c.relowner) AS tableowner,

‎src/test/regress/expected/stats_ext.out‎

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3281,10 +3281,53 @@ SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not le
32813281
(0 rows)
32823282

32833283
DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
3284+
-- privilege checks for pg_stats_ext and pg_stats_ext_exprs
3285+
RESET SESSION AUTHORIZATION;
3286+
CREATE TABLE stats_ext_tbl (id INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY, col TEXT);
3287+
INSERT INTO stats_ext_tbl (col) VALUES ('secret'), ('secret'), ('very secret');
3288+
CREATE STATISTICS s_col ON id, col FROM stats_ext_tbl;
3289+
CREATE STATISTICS s_expr ON mod(id, 2), lower(col) FROM stats_ext_tbl;
3290+
ANALYZE stats_ext_tbl;
3291+
-- unprivileged role should not have access
3292+
SET SESSION AUTHORIZATION regress_stats_user1;
3293+
SELECT statistics_name, most_common_vals FROM pg_stats_ext x
3294+
WHERE tablename = 'stats_ext_tbl' ORDER BY ROW(x.*);
3295+
statistics_name | most_common_vals
3296+
-----------------+------------------
3297+
(0 rows)
3298+
3299+
SELECT statistics_name, most_common_vals FROM pg_stats_ext_exprs x
3300+
WHERE tablename = 'stats_ext_tbl' ORDER BY ROW(x.*);
3301+
statistics_name | most_common_vals
3302+
-----------------+------------------
3303+
(0 rows)
3304+
3305+
-- give unprivileged role ownership of table
3306+
RESET SESSION AUTHORIZATION;
3307+
ALTER TABLE stats_ext_tbl OWNER TO regress_stats_user1;
3308+
-- unprivileged role should now have access
3309+
SET SESSION AUTHORIZATION regress_stats_user1;
3310+
SELECT statistics_name, most_common_vals FROM pg_stats_ext x
3311+
WHERE tablename = 'stats_ext_tbl' ORDER BY ROW(x.*);
3312+
statistics_name | most_common_vals
3313+
-----------------+-------------------------------------------
3314+
s_col | {{1,secret},{2,secret},{3,"very secret"}}
3315+
s_expr | {{0,secret},{1,secret},{1,"very secret"}}
3316+
(2 rows)
3317+
3318+
SELECT statistics_name, most_common_vals FROM pg_stats_ext_exprs x
3319+
WHERE tablename = 'stats_ext_tbl' ORDER BY ROW(x.*);
3320+
statistics_name | most_common_vals
3321+
-----------------+------------------
3322+
s_expr | {secret}
3323+
s_expr | {1}
3324+
(2 rows)
3325+
32843326
-- Tidy up
32853327
DROP OPERATOR <<< (int, int);
32863328
DROP FUNCTION op_leak(int, int);
32873329
RESET SESSION AUTHORIZATION;
3330+
DROP TABLE stats_ext_tbl;
32883331
DROP SCHEMA tststats CASCADE;
32893332
NOTICE: drop cascades to 2 other objects
32903333
DETAIL: drop cascades to table tststats.priv_test_tbl

‎src/test/regress/sql/stats_ext.sql‎

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1657,9 +1657,36 @@ SET SESSION AUTHORIZATION regress_stats_user1;
16571657
SELECT*FROMtststats.priv_test_tblWHERE a<<<0AND b<<<0;-- Should not leak
16581658
DELETEFROMtststats.priv_test_tblWHERE a<<<0AND b<<<0;-- Should not leak
16591659

1660+
-- privilege checks for pg_stats_ext and pg_stats_ext_exprs
1661+
RESET SESSION AUTHORIZATION;
1662+
CREATETABLEstats_ext_tbl (idINTPRIMARY KEY GENERATED BY DEFAULTAS IDENTITY, colTEXT);
1663+
INSERT INTO stats_ext_tbl (col)VALUES ('secret'), ('secret'), ('very secret');
1664+
CREATE STATISTICS s_colON id, colFROM stats_ext_tbl;
1665+
CREATE STATISTICS s_exprON mod(id,2),lower(col)FROM stats_ext_tbl;
1666+
ANALYZE stats_ext_tbl;
1667+
1668+
-- unprivileged role should not have access
1669+
SET SESSION AUTHORIZATION regress_stats_user1;
1670+
SELECT statistics_name, most_common_valsFROM pg_stats_ext x
1671+
WHERE tablename='stats_ext_tbl'ORDER BY ROW(x.*);
1672+
SELECT statistics_name, most_common_valsFROM pg_stats_ext_exprs x
1673+
WHERE tablename='stats_ext_tbl'ORDER BY ROW(x.*);
1674+
1675+
-- give unprivileged role ownership of table
1676+
RESET SESSION AUTHORIZATION;
1677+
ALTERTABLE stats_ext_tbl OWNER TO regress_stats_user1;
1678+
1679+
-- unprivileged role should now have access
1680+
SET SESSION AUTHORIZATION regress_stats_user1;
1681+
SELECT statistics_name, most_common_valsFROM pg_stats_ext x
1682+
WHERE tablename='stats_ext_tbl'ORDER BY ROW(x.*);
1683+
SELECT statistics_name, most_common_valsFROM pg_stats_ext_exprs x
1684+
WHERE tablename='stats_ext_tbl'ORDER BY ROW(x.*);
1685+
16601686
-- Tidy up
16611687
DROPOPERATOR<<< (int,int);
16621688
DROPFUNCTION op_leak(int,int);
16631689
RESET SESSION AUTHORIZATION;
1690+
DROPTABLE stats_ext_tbl;
16641691
DROPSCHEMA tststats CASCADE;
16651692
DROPUSER regress_stats_user1;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp