Skip to content

Commit 3e13384

Browse files
alvherrealvherre
committed
Add missing checks to some of pageinspect's BRIN functions
brin_page_type() and brin_metapage_info() did not enforce being called by superuser, like other pageinspect functions that take bytea do. Since they don't verify the passed page thoroughly, it is possible to use them to read the server memory with a carefully crafted bytea value, up to a file kilobytes from where the input bytea is located. Have them throw errors if called by a non-superuser. Report and initial patch: Andreas Seltenreich Security: CVE-2016-3065
1 parent 86ebf30 commit 3e13384

File tree

1 file changed

+23
-2
lines changed

1 file changed

+23
-2
lines changed

contrib/pageinspect/brinfuncs.c

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,23 @@ brin_page_type(PG_FUNCTION_ARGS)
4646
{
4747
bytea *raw_page = PG_GETARG_BYTEA_P(0);
4848
Page page = VARDATA(raw_page);
49+
int raw_page_size;
4950
char *type;
5051

52+
if (!superuser())
53+
ereport(ERROR,
54+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
55+
(errmsg("must be superuser to use raw page functions"))));
56+
57+
raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
58+
59+
if (raw_page_size != BLCKSZ)
60+
ereport(ERROR,
61+
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
62+
errmsg("input page too small"),
63+
errdetail("Expected size %d, got %d",
64+
BLCKSZ, raw_page_size)));
65+
5166
switch (BrinPageType(page))
5267
{
5368
case BRIN_PAGETYPE_META:
@@ -79,11 +94,12 @@ verify_brin_page(bytea *raw_page, uint16 type, const char *strtype)
7994

8095
raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
8196

82-
if (raw_page_size < SizeOfPageHeaderData)
97+
if (raw_page_size != BLCKSZ)
8398
ereport(ERROR,
8499
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
85100
errmsg("input page too small"),
86-
errdetail("Expected size %d, got %d", raw_page_size, BLCKSZ)));
101+
errdetail("Expected size %d, got %d",
102+
BLCKSZ, raw_page_size)));
87103

88104
page = VARDATA(raw_page);
89105

@@ -316,6 +332,11 @@ brin_metapage_info(PG_FUNCTION_ARGS)
316332
bool nulls[4];
317333
HeapTuple htup;
318334

335+
if (!superuser())
336+
ereport(ERROR,
337+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
338+
(errmsg("must be superuser to use raw page functions"))));
339+
319340
page = verify_brin_page(raw_page, BRIN_PAGETYPE_META, "metapage");
320341

321342
/* Build a tuple descriptor for our result type */

0 commit comments

Comments
 (0)