NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3e13384

committed

Add missing checks to some of pageinspect's BRIN functions

brin_page_type() and brin_metapage_info() did not enforce being calledby superuser, like other pageinspect functions that take bytea do.Since they don't verify the passed page thoroughly, it is possible touse them to read the server memory with a carefully crafted bytea value,up to a file kilobytes from where the input bytea is located.Have them throw errors if called by a non-superuser.Report and initial patch: Andreas SeltenreichSecurity:CVE-2016-3065

1 parent86ebf30 commit3e13384Copy full SHA for 3e13384

File tree

1 file changed

+23

-2

lines changed

contrib/pageinspect
- brinfuncs.c

1 file changed

+23

-2

lines changed

`‎contrib/pageinspect/brinfuncs.c`

Lines changed: 23 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,23 @@ brin_page_type(PG_FUNCTION_ARGS)`
`46`	`46`	`{`
`47`	`47`	`bytea*raw_page=PG_GETARG_BYTEA_P(0);`
`48`	`48`	`Pagepage=VARDATA(raw_page);`
	`49`	`+intraw_page_size;`
`49`	`50`	`char*type;`
`50`	`51`
	`52`	`+if (!superuser())`
	`53`	`+ereport(ERROR,`
	`54`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`55`	`+ (errmsg("must be superuser to use raw page functions"))));`
	`56`	`+`
	`57`	`+raw_page_size=VARSIZE(raw_page)-VARHDRSZ;`
	`58`	`+`
	`59`	`+if (raw_page_size!=BLCKSZ)`
	`60`	`+ereport(ERROR,`
	`61`	`+(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
	`62`	`+errmsg("input page too small"),`
	`63`	`+errdetail("Expected size %d, got %d",`
	`64`	`+BLCKSZ,raw_page_size)));`
	`65`	`+`
`51`	`66`	`switch (BrinPageType(page))`
`52`	`67`	`{`
`53`	`68`	`caseBRIN_PAGETYPE_META:`
`@@ -79,11 +94,12 @@ verify_brin_page(bytea raw_page, uint16 type, const char strtype)`
`79`	`94`
`80`	`95`	`raw_page_size=VARSIZE(raw_page)-VARHDRSZ;`
`81`	`96`
`82`		`-if (raw_page_size<SizeOfPageHeaderData)`
	`97`	`+if (raw_page_size!=BLCKSZ)`
`83`	`98`	`ereport(ERROR,`
`84`	`99`	`(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`85`	`100`	`errmsg("input page too small"),`
`86`		`-errdetail("Expected size %d, got %d",raw_page_size,BLCKSZ)));`
	`101`	`+errdetail("Expected size %d, got %d",`
	`102`	`+BLCKSZ,raw_page_size)));`
`87`	`103`
`88`	`104`	`page=VARDATA(raw_page);`
`89`	`105`
`@@ -316,6 +332,11 @@ brin_metapage_info(PG_FUNCTION_ARGS)`
`316`	`332`	`boolnulls[4];`
`317`	`333`	`HeapTuplehtup;`
`318`	`334`
	`335`	`+if (!superuser())`
	`336`	`+ereport(ERROR,`
	`337`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`338`	`+ (errmsg("must be superuser to use raw page functions"))));`
	`339`	`+`
`319`	`340`	`page=verify_brin_page(raw_page,BRIN_PAGETYPE_META,"metapage");`
`320`	`341`
`321`	`342`	`/* Build a tuple descriptor for our result type */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3e13384

File tree

1 file changed

1 file changed

`‎contrib/pageinspect/brinfuncs.c`

0 commit comments