NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit5413eef

committed

Repair failure to check that a table is still compatible with a previously

made query plan. Use of ALTER COLUMN TYPE creates a hazard for cachedquery plans: they could contain Vars that claim a column has a differenttype than it now has. Fix this by checking during plan startup that Varsat relation scan level match the current relation tuple descriptor. Sinceat that point we already have at least AccessShareLock, we can be sure thecolumn type will not change underneath us later in the query. However,since a backend's locks do not conflict against itself, there is still ahole for an attacker to exploit: he could try to execute ALTER COLUMN TYPEwhile a query is in progress in the current backend. Seal that hole byrejecting ALTER TABLE whenever the target relation is already open inthe current backend.This is a significant security hole: not only can one trivially crash thebackend, but with appropriate misuse of pass-by-reference datatypes it ispossible to read out arbitrary locations in the server process's memory,which could allow retrieving database content the user should not be ableto see. Our thanks to Jeff Trout for the initial report.Security:CVE-2007-0556

1 parentf8eb75b commit5413eefCopy full SHA for 5413eef

File tree

13 files changed

+311

-90

lines changed

src
- backend
  - commands
    - tablecmds.c
  - executor
- include/executor
  - executor.h

13 files changed

+311

-90

lines changed

`‎src/backend/commands/tablecmds.c`

Lines changed: 50 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.212 2007/01/25 04:35:10 momjian Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.213 2007/02/02 00:07:02 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -1964,22 +1964,47 @@ update_ri_trigger_args(Oid relid,`
`1964`	`1964`	`void`
`1965`	`1965`	`AlterTable(AlterTableStmt*stmt)`
`1966`	`1966`	`{`
`1967`		`-ATController(relation_openrv(stmt->relation,AccessExclusiveLock),`
`1968`		`-stmt->cmds,`
`1969`		`-interpretInhOption(stmt->relation->inhOpt));`
	`1967`	`+Relationrel=relation_openrv(stmt->relation,AccessExclusiveLock);`
	`1968`	`+intexpected_refcnt;`
	`1969`	`+`
	`1970`	`+/*`
	`1971`	`+ * Disallow ALTER TABLE when the current backend has any open reference`
	`1972`	`+ * to it besides the one we just got (such as an open cursor or active`
	`1973`	`+ * plan); our AccessExclusiveLock doesn't protect us against stomping on`
	`1974`	`+ * our own foot, only other people's feet!`
	`1975`	`+ *`
	`1976`	`+ * Note: the only case known to cause serious trouble is ALTER COLUMN TYPE,`
	`1977`	`+ * and some changes are obviously pretty benign, so this could possibly`
	`1978`	`+ * be relaxed to only error out for certain types of alterations. But`
	`1979`	`+ * the use-case for allowing any of these things is not obvious, so we`
	`1980`	`+ * won't work hard at it for now.`
	`1981`	`+ */`
	`1982`	`+expected_refcnt=rel->rd_isnailed ?2 :1;`
	`1983`	`+if (rel->rd_refcnt!=expected_refcnt)`
	`1984`	`+ereport(ERROR,`
	`1985`	`+(errcode(ERRCODE_OBJECT_IN_USE),`
	`1986`	`+errmsg("relation \"%s\" is being used by active queries in this session",`
	`1987`	`+RelationGetRelationName(rel))));`
	`1988`	`+`
	`1989`	`+ATController(rel,stmt->cmds,interpretInhOption(stmt->relation->inhOpt));`
`1970`	`1990`	`}`
`1971`	`1991`
`1972`	`1992`	`/*`
`1973`	`1993`	`* AlterTableInternal`
`1974`	`1994`	`*`
`1975`	`1995`	`* ALTER TABLE with target specified by OID`
	`1996`	`+ *`
	`1997`	`+ * We do not reject if the relation is already open, because it's quite`
	`1998`	`+ * likely that one or more layers of caller have it open. That means it`
	`1999`	`+ * is unsafe to use this entry point for alterations that could break`
	`2000`	`+ * existing query plans.`
`1976`	`2001`	`*/`
`1977`	`2002`	`void`
`1978`	`2003`	`AlterTableInternal(Oidrelid,List*cmds,boolrecurse)`
`1979`	`2004`	`{`
`1980`		`-ATController(relation_open(relid,AccessExclusiveLock),`
`1981`		`-cmds,`
`1982`		`-recurse);`
	`2005`	`+Relationrel=relation_open(relid,AccessExclusiveLock);`
	`2006`	`+`
	`2007`	`+ATController(rel,cmds,recurse);`
`1983`	`2008`	`}`
`1984`	`2009`
`1985`	`2010`	`staticvoid`
`@@ -2929,6 +2954,12 @@ ATSimpleRecursion(List **wqueue, Relation rel,`
`2929`	`2954`	`if (childrelid==relid)`
`2930`	`2955`	`continue;`
`2931`	`2956`	`childrel=relation_open(childrelid,AccessExclusiveLock);`
	`2957`	`+/* check for child relation in use in this session */`
	`2958`	`+if (childrel->rd_refcnt!=1)`
	`2959`	`+ereport(ERROR,`
	`2960`	`+(errcode(ERRCODE_OBJECT_IN_USE),`
	`2961`	`+errmsg("relation \"%s\" is being used by active queries in this session",`
	`2962`	`+RelationGetRelationName(childrel))));`
`2932`	`2963`	`ATPrepCmd(wqueue,childrel,cmd, false, true);`
`2933`	`2964`	`relation_close(childrel,NoLock);`
`2934`	`2965`	`}`
`@@ -2960,6 +2991,12 @@ ATOneLevelRecursion(List **wqueue, Relation rel,`
`2960`	`2991`	`Relationchildrel;`
`2961`	`2992`
`2962`	`2993`	`childrel=relation_open(childrelid,AccessExclusiveLock);`
	`2994`	`+/* check for child relation in use in this session */`
	`2995`	`+if (childrel->rd_refcnt!=1)`
	`2996`	`+ereport(ERROR,`
	`2997`	`+(errcode(ERRCODE_OBJECT_IN_USE),`
	`2998`	`+errmsg("relation \"%s\" is being used by active queries in this session",`
	`2999`	`+RelationGetRelationName(childrel))));`
`2963`	`3000`	`ATPrepCmd(wqueue,childrel,cmd, true, true);`
`2964`	`3001`	`relation_close(childrel,NoLock);`
`2965`	`3002`	`}`
`@@ -3765,6 +3802,12 @@ ATExecDropColumn(Relation rel, const char *colName,`
`3765`	`3802`	`Form_pg_attributechildatt;`
`3766`	`3803`
`3767`	`3804`	`childrel=heap_open(childrelid,AccessExclusiveLock);`
	`3805`	`+/* check for child relation in use in this session */`
	`3806`	`+if (childrel->rd_refcnt!=1)`
	`3807`	`+ereport(ERROR,`
	`3808`	`+(errcode(ERRCODE_OBJECT_IN_USE),`
	`3809`	`+errmsg("relation \"%s\" is being used by active queries in this session",`
	`3810`	`+RelationGetRelationName(childrel))));`
`3768`	`3811`
`3769`	`3812`	`tuple=SearchSysCacheCopyAttName(childrelid,colName);`
`3770`	`3813`	`if (!HeapTupleIsValid(tuple))/* shouldn't happen */`

`‎src/backend/executor/execMain.c`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`*`
`27`	`27`	`*`
`28`	`28`	`* IDENTIFICATION`
`29`		`- * $PostgreSQL: pgsql/src/backend/executor/execMain.c,v 1.285 2007/01/25 04:35:10 momjian Exp $`
	`29`	`+ * $PostgreSQL: pgsql/src/backend/executor/execMain.c,v 1.286 2007/02/02 00:07:02 tgl Exp $`
`30`	`30`	`*`
`31`	`31`	`*-------------------------------------------------------------------------`
`32`	`32`	`*/`
`@@ -804,7 +804,8 @@ InitPlan(QueryDesc *queryDesc, int eflags)`
`804`	`804`
`805`	`805`	`rliststate= (List)ExecInitExpr((Expr)rlist,planstate);`
`806`	`806`	`resultRelInfo->ri_projectReturning=`
`807`		`-ExecBuildProjectionInfo(rliststate,econtext,slot);`
	`807`	`+ExecBuildProjectionInfo(rliststate,econtext,slot,`
	`808`	`+resultRelInfo->ri_RelationDesc->rd_att);`
`808`	`809`	`resultRelInfo++;`
`809`	`810`	`}`
`810`	`811`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5413eef

File tree

13 files changed

13 files changed

`‎src/backend/commands/tablecmds.c`

`‎src/backend/executor/execMain.c`

0 commit comments