aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2024-04-30 15:22:56 -0400
committerTom Lane <tgl@sss.pgh.pa.us>2024-04-30 15:22:56 -0400
commit56d30fb10d5ce5e2d8b432eeaca8ecf2fc2a6900 (patch)
tree15bfa7211ae9e333acdd548d5fba8f6a83a610f1
parentf222349c4ec061705e121548d2fe646b4d03ccdf (diff)
downloadpostgresql-56d30fb10d5ce5e2d8b432eeaca8ecf2fc2a6900.tar.gz
postgresql-56d30fb10d5ce5e2d8b432eeaca8ecf2fc2a6900.zip
Disallow converting a table to a view within an outer SQL command.
We have long disallowed all forms of ALTER TABLE if the table is already opened by some outer SQL command in the same session. This has the same purpose as obtaining AccessExclusiveLock, but since a session's own locks don't conflict the lock only blocks use of the table by other sessions, not our own. Without this check, the ALTER might confuse the outer SQL command since any previous inspection of the table would potentially become invalid. However, the RelisBecomingView code path in DefineQueryRewrite never got that memo, and assumed that AccessExclusiveLock is sufficient for performing something morally equivalent to a rather invasive ALTER TABLE. Unsurprisingly, this can confuse an outer command that is trying to do something with the table. This was submitted as a security issue, but the security team has been unable to identify any consequence worse than a null pointer dereference (from trying to access rd_tableam methods that the relation no longer has). Therefore, in accordance with our usual policy, it's not security material and should just be fixed as a routine bug. Fix by disallowing the operation if the table is open locally, exactly as ALTER TABLE does it. Per an anonymous security researcher, via Bundesamt für Sicherheit in der Informationstechnik. Patch v12-v15 only. In v16 and later, we removed this code altogether (cf. commit b23cd185f), so that there's no issue.
-rw-r--r--src/backend/rewrite/rewriteDefine.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/backend/rewrite/rewriteDefine.c b/src/backend/rewrite/rewriteDefine.c
index 62c46e43840..cf6c47b5963 100644
--- a/src/backend/rewrite/rewriteDefine.c
+++ b/src/backend/rewrite/rewriteDefine.c
@@ -30,6 +30,7 @@
#include "catalog/pg_rewrite.h"
#include "catalog/storage.h"
#include "commands/policy.h"
+#include "commands/tablecmds.h"
#include "miscadmin.h"
#include "nodes/nodeFuncs.h"
#include "parser/parse_utilcmd.h"
@@ -422,6 +423,9 @@ DefineQueryRewrite(const char *rulename,
* whole business of converting relations to views is just an obsolete
* kluge to allow dump/reload of views that participate in circular
* dependencies.)
+ *
+ * Also ensure the relation isn't being manipulated in any outer SQL
+ * command of our own session.
*/
if (event_relation->rd_rel->relkind != RELKIND_VIEW &&
event_relation->rd_rel->relkind != RELKIND_MATVIEW)
@@ -430,6 +434,8 @@ DefineQueryRewrite(const char *rulename,
Snapshot snapshot;
TupleTableSlot *slot;
+ CheckTableNotInUse(event_relation, "CREATE RULE");
+
if (event_relation->rd_rel->relkind == RELKIND_PARTITIONED_TABLE)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),