Skip to content

Commit 7e86da5

Browse files
deanrasheeddeanrasheed
committed
Fix security checks in selectivity estimation functions.
Commit e2d4ef8 (the fix for CVE-2017-7484) added security checks to the selectivity estimation functions to prevent them from running user-supplied operators on data obtained from pg_statistic if the user lacks privileges to select from the underlying table. In cases involving inheritance/partitioning, those checks were originally performed against the child RTE (which for plain inheritance might actually refer to the parent table). Commit 553d2ec then extended that to also check the parent RTE, allowing access if the user had permissions on either the parent or the child. It turns out, however, that doing any checks using the child RTE is incorrect, since securityQuals is set to NULL when creating an RTE for an inheritance child (whether it refers to the parent table or the child table), and therefore such checks do not correctly account for any RLS policies or security barrier views. Therefore, do the security checks using only the parent RTE. This is consistent with how RLS policies are applied, and the executor's ACL checks, both of which use only the parent table's permissions/policies. Similar checks are performed in the extended stats code, so update that in the same way, centralizing all the checks in a new function. In addition, note that these checks by themselves are insufficient to ensure that the user has access to the table's data because, in a query that goes via a view, they only check that the view owner has permissions on the underlying table, not that the current user has permissions on the view itself. In the selectivity estimation functions, there is no easy way to navigate from underlying tables to views, so add permissions checks for all views mentioned in the query to the planner startup code. If the user lacks permissions on a view, a permissions error will now be reported at planner-startup, and the selectivity estimation functions will not be run. Checking view permissions at planner-startup in this way is a little ugly, since the same checks will be repeated at executor-startup. Longer-term, it might be better to move all the permissions checks from the executor to the planner so that permissions errors can be reported sooner, instead of creating a plan that won't ever be run. However, such a change seems too far-reaching to be back-patched. Back-patch to all supported versions. In v13, there is the added complication that UPDATEs and DELETEs on inherited target tables are planned using inheritance_planner(), which plans each inheritance child table separately, so that the selectivity estimation functions do not know that they are dealing with a child table accessed via its parent. Handle that by checking access permissions on the top parent table at planner-startup, in the same way as we do for views. Any securityQuals on the top parent table are moved down to the child tables by inheritance_planner(), so they continue to be checked by the selectivity estimation functions. Author: Dean Rasheed <dean.a.rasheed@gmail.com> Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: Noah Misch <noah@leadboat.com> Backpatch-through: 13 Security: CVE-2025-8713
1 parent 94c0673 commit 7e86da5

File tree

12 files changed

+569
-288
lines changed

12 files changed

+569
-288
lines changed

src/backend/executor/execMain.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,6 @@ static void ExecutePlan(QueryDesc *queryDesc,
8989
uint64 numberTuples,
9090
ScanDirection direction,
9191
DestReceiver *dest);
92-
static bool ExecCheckOneRelPerms(RTEPermissionInfo *perminfo);
9392
static bool ExecCheckPermissionsModified(Oid relOid, Oid userid,
9493
Bitmapset *modifiedCols,
9594
AclMode requiredPerms);
@@ -635,7 +634,7 @@ ExecCheckPermissions(List *rangeTable, List *rteperminfos,
635634
* ExecCheckOneRelPerms
636635
* Check access permissions for a single relation.
637636
*/
638-
static bool
637+
bool
639638
ExecCheckOneRelPerms(RTEPermissionInfo *perminfo)
640639
{
641640
AclMode requiredPerms;

src/backend/optimizer/plan/planner.c

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@
6363
#include "partitioning/partdesc.h"
6464
#include "rewrite/rewriteManip.h"
6565
#include "storage/dsm_impl.h"
66+
#include "utils/acl.h"
6667
#include "utils/lsyscache.h"
6768
#include "utils/rel.h"
6869
#include "utils/selfuncs.h"
@@ -788,6 +789,38 @@ subquery_planner(PlannerGlobal *glob, Query *parse,
788789
bms_make_singleton(parse->resultRelation);
789790
}
790791

792+
/*
793+
* This would be a convenient time to check access permissions for all
794+
* relations mentioned in the query, since it would be better to fail now,
795+
* before doing any detailed planning. However, for historical reasons,
796+
* we leave this to be done at executor startup.
797+
*
798+
* Note, however, that we do need to check access permissions for any view
799+
* relations mentioned in the query, in order to prevent information being
800+
* leaked by selectivity estimation functions, which only check view owner
801+
* permissions on underlying tables (see all_rows_selectable() and its
802+
* callers). This is a little ugly, because it means that access
803+
* permissions for views will be checked twice, which is another reason
804+
* why it would be better to do all the ACL checks here.
805+
*/
806+
foreach(l, parse->rtable)
807+
{
808+
RangeTblEntry *rte = lfirst_node(RangeTblEntry, l);
809+
810+
if (rte->perminfoindex != 0 &&
811+
rte->relkind == RELKIND_VIEW)
812+
{
813+
RTEPermissionInfo *perminfo;
814+
bool result;
815+
816+
perminfo = getRTEPermissionInfo(parse->rteperminfos, rte);
817+
result = ExecCheckOneRelPerms(perminfo);
818+
if (!result)
819+
aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_VIEW,
820+
get_rel_name(perminfo->relid));
821+
}
822+
}
823+
791824
/*
792825
* Preprocess RowMark information. We need to do this after subquery
793826
* pullup, so that all base relations are present.

src/backend/statistics/extended_stats.c

Lines changed: 44 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -1344,14 +1344,17 @@ choose_best_statistics(List *stats, char requiredkind, bool inh,
13441344
* so we can't cope with system columns.
13451345
* *exprs: input/output parameter collecting primitive subclauses within
13461346
* the clause tree
1347+
* *leakproof: input/output parameter recording the leakproofness of the
1348+
* clause tree. This should be true initially, and will be set to false
1349+
* if any operator function used in an OpExpr is not leakproof.
13471350
*
13481351
* Returns false if there is something we definitively can't handle.
13491352
* On true return, we can proceed to match the *exprs against statistics.
13501353
*/
13511354
static bool
13521355
statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
13531356
Index relid, Bitmapset **attnums,
1354-
List **exprs)
1357+
List **exprs, bool *leakproof)
13551358
{
13561359
/* Look inside any binary-compatible relabeling (as in examine_variable) */
13571360
if (IsA(clause, RelabelType))
@@ -1386,7 +1389,6 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
13861389
/* (Var/Expr op Const) or (Const op Var/Expr) */
13871390
if (is_opclause(clause))
13881391
{
1389-
RangeTblEntry *rte = root->simple_rte_array[relid];
13901392
OpExpr *expr = (OpExpr *) clause;
13911393
Node *clause_expr;
13921394

@@ -1421,24 +1423,15 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
14211423
return false;
14221424
}
14231425

1424-
/*
1425-
* If there are any securityQuals on the RTE from security barrier
1426-
* views or RLS policies, then the user may not have access to all the
1427-
* table's data, and we must check that the operator is leak-proof.
1428-
*
1429-
* If the operator is leaky, then we must ignore this clause for the
1430-
* purposes of estimating with MCV lists, otherwise the operator might
1431-
* reveal values from the MCV list that the user doesn't have
1432-
* permission to see.
1433-
*/
1434-
if (rte->securityQuals != NIL &&
1435-
!get_func_leakproof(get_opcode(expr->opno)))
1436-
return false;
1426+
/* Check if the operator is leakproof */
1427+
if (*leakproof)
1428+
*leakproof = get_func_leakproof(get_opcode(expr->opno));
14371429

14381430
/* Check (Var op Const) or (Const op Var) clauses by recursing. */
14391431
if (IsA(clause_expr, Var))
14401432
return statext_is_compatible_clause_internal(root, clause_expr,
1441-
relid, attnums, exprs);
1433+
relid, attnums,
1434+
exprs, leakproof);
14421435

14431436
/* Otherwise we have (Expr op Const) or (Const op Expr). */
14441437
*exprs = lappend(*exprs, clause_expr);
@@ -1448,7 +1441,6 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
14481441
/* Var/Expr IN Array */
14491442
if (IsA(clause, ScalarArrayOpExpr))
14501443
{
1451-
RangeTblEntry *rte = root->simple_rte_array[relid];
14521444
ScalarArrayOpExpr *expr = (ScalarArrayOpExpr *) clause;
14531445
Node *clause_expr;
14541446
bool expronleft;
@@ -1488,24 +1480,15 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
14881480
return false;
14891481
}
14901482

1491-
/*
1492-
* If there are any securityQuals on the RTE from security barrier
1493-
* views or RLS policies, then the user may not have access to all the
1494-
* table's data, and we must check that the operator is leak-proof.
1495-
*
1496-
* If the operator is leaky, then we must ignore this clause for the
1497-
* purposes of estimating with MCV lists, otherwise the operator might
1498-
* reveal values from the MCV list that the user doesn't have
1499-
* permission to see.
1500-
*/
1501-
if (rte->securityQuals != NIL &&
1502-
!get_func_leakproof(get_opcode(expr->opno)))
1503-
return false;
1483+
/* Check if the operator is leakproof */
1484+
if (*leakproof)
1485+
*leakproof = get_func_leakproof(get_opcode(expr->opno));
15041486

15051487
/* Check Var IN Array clauses by recursing. */
15061488
if (IsA(clause_expr, Var))
15071489
return statext_is_compatible_clause_internal(root, clause_expr,
1508-
relid, attnums, exprs);
1490+
relid, attnums,
1491+
exprs, leakproof);
15091492

15101493
/* Otherwise we have Expr IN Array. */
15111494
*exprs = lappend(*exprs, clause_expr);
@@ -1542,7 +1525,8 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
15421525
*/
15431526
if (!statext_is_compatible_clause_internal(root,
15441527
(Node *) lfirst(lc),
1545-
relid, attnums, exprs))
1528+
relid, attnums, exprs,
1529+
leakproof))
15461530
return false;
15471531
}
15481532

@@ -1556,8 +1540,10 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
15561540

15571541
/* Check Var IS NULL clauses by recursing. */
15581542
if (IsA(nt->arg, Var))
1559-
return statext_is_compatible_clause_internal(root, (Node *) (nt->arg),
1560-
relid, attnums, exprs);
1543+
return statext_is_compatible_clause_internal(root,
1544+
(Node *) (nt->arg),
1545+
relid, attnums,
1546+
exprs, leakproof);
15611547

15621548
/* Otherwise we have Expr IS NULL. */
15631549
*exprs = lappend(*exprs, nt->arg);
@@ -1596,11 +1582,9 @@ static bool
15961582
statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
15971583
Bitmapset **attnums, List **exprs)
15981584
{
1599-
RangeTblEntry *rte = root->simple_rte_array[relid];
1600-
RelOptInfo *rel = root->simple_rel_array[relid];
16011585
RestrictInfo *rinfo;
16021586
int clause_relid;
1603-
Oid userid;
1587+
bool leakproof;
16041588

16051589
/*
16061590
* Special-case handling for bare BoolExpr AND clauses, because the
@@ -1640,18 +1624,31 @@ statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
16401624
clause_relid != relid)
16411625
return false;
16421626

1643-
/* Check the clause and determine what attributes it references. */
1627+
/*
1628+
* Check the clause, determine what attributes it references, and whether
1629+
* it includes any non-leakproof operators.
1630+
*/
1631+
leakproof = true;
16441632
if (!statext_is_compatible_clause_internal(root, (Node *) rinfo->clause,
1645-
relid, attnums, exprs))
1633+
relid, attnums, exprs,
1634+
&leakproof))
16461635
return false;
16471636

16481637
/*
1649-
* Check that the user has permission to read all required attributes.
1638+
* If the clause includes any non-leakproof operators, check that the user
1639+
* has permission to read all required attributes, otherwise the operators
1640+
* might reveal values from the MCV list that the user doesn't have
1641+
* permission to see. We require all rows to be selectable --- there must
1642+
* be no securityQuals from security barrier views or RLS policies. See
1643+
* similar code in examine_variable(), examine_simple_variable(), and
1644+
* statistic_proc_security_check().
1645+
*
1646+
* Note that for an inheritance child, the permission checks are performed
1647+
* on the inheritance root parent, and whole-table select privilege on the
1648+
* parent doesn't guarantee that the user could read all columns of the
1649+
* child. Therefore we must check all referenced columns.
16501650
*/
1651-
userid = OidIsValid(rel->userid) ? rel->userid : GetUserId();
1652-
1653-
/* Table-level SELECT privilege is sufficient for all columns */
1654-
if (pg_class_aclcheck(rte->relid, userid, ACL_SELECT) != ACLCHECK_OK)
1651+
if (!leakproof)
16551652
{
16561653
Bitmapset *clause_attnums = NULL;
16571654
int attnum = -1;
@@ -1676,26 +1673,9 @@ statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
16761673
if (*exprs != NIL)
16771674
pull_varattnos((Node *) *exprs, relid, &clause_attnums);
16781675

1679-
attnum = -1;
1680-
while ((attnum = bms_next_member(clause_attnums, attnum)) >= 0)
1681-
{
1682-
/* Undo the offset */
1683-
AttrNumber attno = attnum + FirstLowInvalidHeapAttributeNumber;
1684-
1685-
if (attno == InvalidAttrNumber)
1686-
{
1687-
/* Whole-row reference, so must have access to all columns */
1688-
if (pg_attribute_aclcheck_all(rte->relid, userid, ACL_SELECT,
1689-
ACLMASK_ALL) != ACLCHECK_OK)
1690-
return false;
1691-
}
1692-
else
1693-
{
1694-
if (pg_attribute_aclcheck(rte->relid, attno, userid,
1695-
ACL_SELECT) != ACLCHECK_OK)
1696-
return false;
1697-
}
1698-
}
1676+
/* Must have permission to read all rows from these columns */
1677+
if (!all_rows_selectable(root, relid, clause_attnums))
1678+
return false;
16991679
}
17001680

17011681
/* If we reach here, the clause is OK */

0 commit comments

Comments
 (0)