diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2007-02-02 00:07:03 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2007-02-02 00:07:03 +0000 |
| commit | 5413eef8dcd2dbf2cc46eed4f9fe4024987b8a38 (patch) | |
| tree | b374d44369cf79d99c8f7d087f8b0b293567c31c /src/include/executor | |
| parent | f8eb75b6737f00dc1d9b6ca9c50b0cacc576b998 (diff) | |
| download | postgresql-5413eef8dcd2dbf2cc46eed4f9fe4024987b8a38.tar.gz postgresql-5413eef8dcd2dbf2cc46eed4f9fe4024987b8a38.zip | |
Repair failure to check that a table is still compatible with a previously
made query plan. Use of ALTER COLUMN TYPE creates a hazard for cached
query plans: they could contain Vars that claim a column has a different
type than it now has. Fix this by checking during plan startup that Vars
at relation scan level match the current relation tuple descriptor. Since
at that point we already have at least AccessShareLock, we can be sure the
column type will not change underneath us later in the query. However,
since a backend's locks do not conflict against itself, there is still a
hole for an attacker to exploit: he could try to execute ALTER COLUMN TYPE
while a query is in progress in the current backend. Seal that hole by
rejecting ALTER TABLE whenever the target relation is already open in
the current backend.
This is a significant security hole: not only can one trivially crash the
backend, but with appropriate misuse of pass-by-reference datatypes it is
possible to read out arbitrary locations in the server process's memory,
which could allow retrieving database content the user should not be able
to see. Our thanks to Jeff Trout for the initial report.
Security: CVE-2007-0556
Diffstat (limited to 'src/include/executor')
| -rw-r--r-- | src/include/executor/executor.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/include/executor/executor.h b/src/include/executor/executor.h index 6e099374cff..1800f4cb039 100644 --- a/src/include/executor/executor.h +++ b/src/include/executor/executor.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/executor/executor.h,v 1.134 2007/01/10 18:06:04 tgl Exp $ + * $PostgreSQL: pgsql/src/include/executor/executor.h,v 1.135 2007/02/02 00:07:03 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -257,8 +257,10 @@ extern void ExecAssignResultTypeFromTL(PlanState *planstate); extern TupleDesc ExecGetResultType(PlanState *planstate); extern ProjectionInfo *ExecBuildProjectionInfo(List *targetList, ExprContext *econtext, - TupleTableSlot *slot); -extern void ExecAssignProjectionInfo(PlanState *planstate); + TupleTableSlot *slot, + TupleDesc inputDesc); +extern void ExecAssignProjectionInfo(PlanState *planstate, + TupleDesc inputDesc); extern void ExecFreeExprContext(PlanState *planstate); extern TupleDesc ExecGetScanType(ScanState *scanstate); extern void ExecAssignScanType(ScanState *scanstate, TupleDesc tupDesc); |