NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commite1e0a4d

committed

Avoid repeated name lookups during table and index DDL.

If the name lookups come to different conclusions due to concurrentactivity, we might perform some parts of the DDL on a different tablethan other parts. At least in the case of CREATE INDEX, this can beused to cause the permissions checks to be performed against adifferent table than the index creation, allowing for a privilegeescalation attack.This changes the calling convention for DefineIndex, CreateTrigger,transformIndexStmt, transformAlterTableStmt, CheckIndexCompatible(in 9.2 and newer), and AlterTable (in 9.1 and older). In addition,CheckRelationOwnership is removed in 9.2 and newer and the callingconvention is changed in older branches. A field has also been addedto the Constraint node (FkConstraint in 8.4). Third-party code callingthese functions or using the Constraint node will require updating.Report by Andres Freund. Patch by Robert Haas and Andres Freund,reviewed by Tom Lane.Security:CVE-2014-0062

1 parent30b1c40 commite1e0a4dCopy full SHA for e1e0a4d

File tree

18 files changed

+234

-157

lines changed

src
- backend
  - bootstrap
    - bootparse.y
  - catalog
    - index.c
    - pg_constraint.c
  - commands
  - nodes
  - parser
    - parse_utilcmd.c
  - tcop
    - utility.c
- include
  - catalog
    - pg_constraint.h
  - commands
  - nodes
    - parsenodes.h
  - parser
    - parse_utilcmd.h
  - tcop
    - utility.h

18 files changed

+234

-157

lines changed

`‎src/backend/bootstrap/bootparse.y‎`

Lines changed: 15 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@`
`27`	`27`	`#include"bootstrap/bootstrap.h"`
`28`	`28`	`#include"catalog/catalog.h"`
`29`	`29`	`#include"catalog/heap.h"`
	`30`	`+#include"catalog/namespace.h"`
`30`	`31`	`#include"catalog/pg_am.h"`
`31`	`32`	`#include"catalog/pg_attribute.h"`
`32`	`33`	`#include"catalog/pg_authid.h"`
`@@ -282,6 +283,7 @@ Boot_DeclareIndexStmt:`
`282`	`283`	`XDECLAREINDEXboot_identoidspecONboot_identUSINGboot_identLPARENboot_index_paramsRPAREN`
`283`	`284`	`{`
`284`	`285`	`IndexStmt *stmt = makeNode(IndexStmt);`
	`286`	`+OidrelationId;`
`285`	`287`
`286`	`288`	`do_start();`
`287`	`289`
`@@ -303,7 +305,12 @@ Boot_DeclareIndexStmt:`
`303`	`305`	`stmt->initdeferred =false;`
`304`	`306`	`stmt->concurrent =false;`
`305`	`307`
`306`		`-DefineIndex(stmt,`
	`308`	`+/* locks and races need not concern us in bootstrap mode*/`
	`309`	`+relationId = RangeVarGetRelid(stmt->relation, NoLock,`
	`310`	`+false);`
	`311`	`+`
	`312`	`+DefineIndex(relationId,`
	`313`	`+stmt,`
`307`	`314`	`$4,`
`308`	`315`	`false,`
`309`	`316`	`false,`
`@@ -317,6 +324,7 @@ Boot_DeclareUniqueIndexStmt:`
`317`	`324`	`XDECLAREUNIQUEINDEXboot_identoidspecONboot_identUSINGboot_identLPARENboot_index_paramsRPAREN`
`318`	`325`	`{`
`319`	`326`	`IndexStmt *stmt = makeNode(IndexStmt);`
	`327`	`+OidrelationId;`
`320`	`328`
`321`	`329`	`do_start();`
`322`	`330`
`@@ -338,7 +346,12 @@ Boot_DeclareUniqueIndexStmt:`
`338`	`346`	`stmt->initdeferred =false;`
`339`	`347`	`stmt->concurrent =false;`
`340`	`348`
`341`		`-DefineIndex(stmt,`
	`349`	`+/* locks and races need not concern us in bootstrap mode*/`
	`350`	`+relationId = RangeVarGetRelid(stmt->relation, NoLock,`
	`351`	`+false);`
	`352`	`+`
	`353`	`+DefineIndex(relationId,`
	`354`	`+stmt,`
`342`	`355`	`$5,`
`343`	`356`	`false,`
`344`	`357`	`false,`

`‎src/backend/catalog/index.c‎`

Lines changed: 3 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -1214,18 +1214,13 @@ index_constraint_create(Relation heapRelation,`
`1214`	`1214`	`*/`
`1215`	`1215`	`if (deferrable)`
`1216`	`1216`	`{`
`1217`		`-RangeVar*heapRel;`
`1218`	`1217`	`CreateTrigStmt*trigger;`
`1219`	`1218`
`1220`		`-heapRel=makeRangeVar(get_namespace_name(namespaceId),`
`1221`		`-pstrdup(RelationGetRelationName(heapRelation)),`
`1222`		`--1);`
`1223`		`-`
`1224`	`1219`	`trigger=makeNode(CreateTrigStmt);`
`1225`	`1220`	`trigger->trigname= (constraintType==CONSTRAINT_PRIMARY) ?`
`1226`	`1221`	`"PK_ConstraintTrigger" :`
`1227`	`1222`	`"Unique_ConstraintTrigger";`
`1228`		`-trigger->relation=heapRel;`
	`1223`	`+trigger->relation=NULL;`
`1229`	`1224`	`trigger->funcname=SystemFuncName("unique_key_recheck");`
`1230`	`1225`	`trigger->args=NIL;`
`1231`	`1226`	`trigger->row= true;`
`@@ -1238,7 +1233,8 @@ index_constraint_create(Relation heapRelation,`
`1238`	`1233`	`trigger->initdeferred=initdeferred;`
`1239`	`1234`	`trigger->constrrel=NULL;`
`1240`	`1235`
`1241`		`-(void)CreateTrigger(trigger,NULL,conOid,indexRelationId, true);`
	`1236`	`+(void)CreateTrigger(trigger,NULL,RelationGetRelid(heapRelation),`
	`1237`	`+InvalidOid,conOid,indexRelationId, true);`
`1242`	`1238`	`}`
`1243`	`1239`
`1244`	`1240`	`/*`

`‎src/backend/catalog/pg_constraint.c‎`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -751,6 +751,25 @@ AlterConstraintNamespaces(Oid ownerId, Oid oldNspId,`
`751`	`751`	`heap_close(conRel,RowExclusiveLock);`
`752`	`752`	`}`
`753`	`753`
	`754`	`+/*`
	`755`	`+ * get_constraint_relation_oids`
	`756`	`+ *Find the IDs of the relations to which a constraint refers.`
	`757`	`+ */`
	`758`	`+void`
	`759`	`+get_constraint_relation_oids(Oidconstraint_oid,Oidconrelid,Oidconfrelid)`
	`760`	`+{`
	`761`	`+HeapTupletup;`
	`762`	`+Form_pg_constraintcon;`
	`763`	`+`
	`764`	`+tup=SearchSysCache1(CONSTROID,ObjectIdGetDatum(constraint_oid));`
	`765`	`+if (!HeapTupleIsValid(tup))/* should not happen */`
	`766`	`+elog(ERROR,"cache lookup failed for constraint %u",constraint_oid);`
	`767`	`+con= (Form_pg_constraint)GETSTRUCT(tup);`
	`768`	`+*conrelid=con->conrelid;`
	`769`	`+*confrelid=con->confrelid;`
	`770`	`+ReleaseSysCache(tup);`
	`771`	`+}`
	`772`	`+`
`754`	`773`	`/*`
`755`	`774`	`* get_relation_constraint_oid`
`756`	`775`	`*Find a constraint on the specified relation with the specified name.`

`‎src/backend/commands/indexcmds.c‎`

Lines changed: 14 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,6 @@ static void RangeVarCallbackForReindexIndex(const RangeVar *relation,`
`112`	`112`	`*/`
`113`	`113`	`bool`
`114`	`114`	`CheckIndexCompatible(OidoldId,`
`115`		`-RangeVar*heapRelation,`
`116`	`115`	`char*accessMethodName,`
`117`	`116`	`List*attributeList,`
`118`	`117`	`List*exclusionOpNames)`
`@@ -140,7 +139,7 @@ CheckIndexCompatible(Oid oldId,`
`140`	`139`	`Datumd;`
`141`	`140`
`142`	`141`	`/* Caller should already have the relation locked in some way. */`
`143`		`-relationId=RangeVarGetRelid(heapRelation,NoLock, false);`
	`142`	`+relationId=IndexGetRelation(oldId, false);`
`144`	`143`
`145`	`144`	`/*`
`146`	`145`	`* We can pretend isconstraint = false unconditionally. It only serves to`
`@@ -280,6 +279,8 @@ CheckIndexCompatible(Oid oldId,`
`280`	`279`	`* DefineIndex`
`281`	`280`	`*Creates a new index.`
`282`	`281`	`*`
	`282`	`+ * 'relationId': the OID of the heap relation on which the index is to be`
	`283`	`+ *created`
`283`	`284`	`* 'stmt': IndexStmt describing the properties of the new index.`
`284`	`285`	`* 'indexRelationId': normally InvalidOid, but during bootstrap can be`
`285`	`286`	`*nonzero to specify a preselected OID for the index.`
`@@ -293,7 +294,8 @@ CheckIndexCompatible(Oid oldId,`
`293`	`294`	`* Returns the OID of the created index.`
`294`	`295`	`*/`
`295`	`296`	`Oid`
`296`		`-DefineIndex(IndexStmt*stmt,`
	`297`	`+DefineIndex(OidrelationId,`
	`298`	`+IndexStmt*stmt,`
`297`	`299`	`OidindexRelationId,`
`298`	`300`	`boolis_alter_table,`
`299`	`301`	`boolcheck_rights,`
`@@ -306,7 +308,6 @@ DefineIndex(IndexStmt *stmt,`
`306`	`308`	`Oid*collationObjectId;`
`307`	`309`	`Oid*classObjectId;`
`308`	`310`	`OidaccessMethodId;`
`309`		`-OidrelationId;`
`310`	`311`	`OidnamespaceId;`
`311`	`312`	`OidtablespaceId;`
`312`	`313`	`List*indexColNames;`
`@@ -326,6 +327,7 @@ DefineIndex(IndexStmt *stmt,`
`326`	`327`	`intn_old_snapshots;`
`327`	`328`	`LockRelIdheaprelid;`
`328`	`329`	`LOCKTAGheaplocktag;`
	`330`	`+LOCKMODElockmode;`
`329`	`331`	`Snapshotsnapshot;`
`330`	`332`	`inti;`
`331`	`333`
`@@ -344,14 +346,18 @@ DefineIndex(IndexStmt *stmt,`
`344`	`346`	`INDEX_MAX_KEYS)));`
`345`	`347`
`346`	`348`	`/*`
`347`		`- * Open heap relation, acquire a suitable lock on it, remember its OID`
`348`		`- *`
`349`	`349`	`* Only SELECT ... FOR UPDATE/SHARE are allowed while doing a standard`
`350`	`350`	`* index build; but for concurrent builds we allow INSERT/UPDATE/DELETE`
`351`	`351`	`* (but not VACUUM).`
	`352`	`+ *`
	`353`	`+ * NB: Caller is responsible for making sure that relationId refers`
	`354`	`+ * to the relation on which the index should be built; except in bootstrap`
	`355`	`+ * mode, this will typically require the caller to have already locked`
	`356`	`+ * the relation. To avoid lock upgrade hazards, that lock should be at`
	`357`	`+ * least as strong as the one we take here.`
`352`	`358`	`*/`
`353`		`-rel=heap_openrv(stmt->relation,`
`354`		`- (stmt->concurrent ?ShareUpdateExclusiveLock :ShareLock));`
	`359`	`+lockmode=stmt->concurrent ?ShareUpdateExclusiveLock :ShareLock;`
	`360`	`+rel=heap_open(relationId,lockmode);`
`355`	`361`
`356`	`362`	`relationId=RelationGetRelid(rel);`
`357`	`363`	`namespaceId=RelationGetNamespace(rel);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite1e0a4d

File tree

18 files changed

18 files changed

`‎src/backend/bootstrap/bootparse.y‎`

`‎src/backend/catalog/index.c‎`

`‎src/backend/catalog/pg_constraint.c‎`

`‎src/backend/commands/indexcmds.c‎`

0 commit comments