Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unless

tglsfdc · tglsfdc · commit 9ead05b7c3d0 · 2010-05-13T18:29:12.000Z
that is a regular table or view owned by a superuser. This prevents a trojan horse attack whereby any unprivileged SQL user could create such a table and insert code into it that would then get executed in other users' sessions whenever they call pltcl functions. Worse yet, because the code was automatically loaded into both the "normal" and "safe" interpreters at first use, the attacker could execute unrestricted Tcl code in the "normal" interpreter without there being any pltclu functions anywhere, or indeed anyone else using pltcl at all: installing pltcl is sufficient to open the hole. Change the initialization logic so that the "unknown" code is only loaded into an interpreter when the interpreter is first really used. (That doesn't add any additional security in this particular context, but it seems a prudent change, and anyway the former behavior violated the principle of least astonishment.) Security: CVE-2010-1170
diff --git a/doc/src/sgml/pltcl.sgml b/doc/src/sgml/pltcl.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/pltcl.sgml,v 2.49 2010/04/03 07:22:55 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/pltcl.sgml,v 2.50 2010/05/13 18:29:12 tgl Exp $ -->
 
  <chapter id="pltcl">
   <title>PL/Tcl - Tcl Procedural Language</title>
@@ -689,8 +689,10 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
         It recognizes a special table, <literal>pltcl_modules</>, which
         is presumed to contain modules of Tcl code.  If this table
         exists, the module <literal>unknown</> is fetched from the table
-        and loaded into the Tcl interpreter immediately after creating
-        the interpreter.
+        and loaded into the Tcl interpreter immediately before the first
+        execution of a PL/Tcl function in a database session.  (This
+        happens separately for PL/Tcl and PL/TclU, if both are used,
+        because separate interpreters are used for the two languages.)
        </para>
        <para>
         While the <literal>unknown</> module could actually contain any
@@ -717,7 +719,11 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
        <para>
         The tables <literal>pltcl_modules</> and <literal>pltcl_modfuncs</>
         must be readable by all, but it is wise to make them owned and
-        writable only by the database administrator.
+        writable only by the database administrator.  As a security
+        precaution, PL/Tcl will ignore <literal>pltcl_modules</> (and thus,
+        not attempt to load the <literal>unknown</> module) unless it is
+        owned by a superuser.  But update privileges on this table can be
+        granted to other users, if you trust them sufficiently.
        </para>
    </sect1>
 
diff --git a/src/pl/tcl/pltcl.c b/src/pl/tcl/pltcl.c
@@ -2,7 +2,7 @@
  * pltcl.c		- PostgreSQL support for Tcl as
  *				  procedural language (PL)
  *
- *	  $PostgreSQL: pgsql/src/pl/tcl/pltcl.c,v 1.132 2010/02/26 02:01:37 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/pl/tcl/pltcl.c,v 1.133 2010/05/13 18:29:12 tgl Exp $
  *
  **********************************************************************/
 
@@ -120,7 +120,8 @@ typedef struct pltcl_query_desc
  * Global data
  **********************************************************************/
 static bool pltcl_pm_init_done = false;
-static bool pltcl_be_init_done = false;
+static bool pltcl_be_norm_init_done = false;
+static bool pltcl_be_safe_init_done = false;
 static Tcl_Interp *pltcl_hold_interp = NULL;
 static Tcl_Interp *pltcl_norm_interp = NULL;
 static Tcl_Interp *pltcl_safe_interp = NULL;
@@ -139,8 +140,8 @@ Datum		pltcl_call_handler(PG_FUNCTION_ARGS);
 Datum		pltclu_call_handler(PG_FUNCTION_ARGS);
 void		_PG_init(void);
 
-static void pltcl_init_all(void);
 static void pltcl_init_interp(Tcl_Interp *interp);
+static Tcl_Interp *pltcl_fetch_interp(bool pltrusted);
 static void pltcl_init_load_unknown(Tcl_Interp *interp);
 
 static Datum pltcl_func_handler(PG_FUNCTION_ARGS);
@@ -334,33 +335,12 @@ _PG_init(void)
 	pltcl_pm_init_done = true;
 }
 
-/**********************************************************************
- * pltcl_init_all()		- Initialize all
- *
- * This does initialization that can't be done in the postmaster, and
- * hence is not safe to do at library load time.
- **********************************************************************/
-static void
-pltcl_init_all(void)
-{
-	/************************************************************
-	 * Try to load the unknown procedure from pltcl_modules
-	 ************************************************************/
-	if (!pltcl_be_init_done)
-	{
-		if (SPI_connect() != SPI_OK_CONNECT)
-			elog(ERROR, "SPI_connect failed");
-		pltcl_init_load_unknown(pltcl_norm_interp);
-		pltcl_init_load_unknown(pltcl_safe_interp);
-		if (SPI_finish() != SPI_OK_FINISH)
-			elog(ERROR, "SPI_finish failed");
-		pltcl_be_init_done = true;
-	}
-}
-
-
 /**********************************************************************
  * pltcl_init_interp() - initialize a Tcl interpreter
+ *
+ * The work done here must be safe to do in the postmaster process,
+ * in case the pltcl library is preloaded in the postmaster.  Note
+ * that this is applied separately to the "normal" and "safe" interpreters.
  **********************************************************************/
 static void
 pltcl_init_interp(Tcl_Interp *interp)
@@ -387,6 +367,42 @@ pltcl_init_interp(Tcl_Interp *interp)
 					  pltcl_SPI_lastoid, NULL, NULL);
 }
 
+/**********************************************************************
+ * pltcl_fetch_interp() - fetch the Tcl interpreter to use for a function
+ *
+ * This also takes care of any on-first-use initialization required.
+ * The initialization work done here can't be done in the postmaster, and
+ * hence is not safe to do at library load time, because it may invoke
+ * arbitrary user-defined code.
+ * Note: we assume caller has already connected to SPI.
+ **********************************************************************/
+static Tcl_Interp *
+pltcl_fetch_interp(bool pltrusted)
+{
+	Tcl_Interp *interp;
+
+	/* On first use, we try to load the unknown procedure from pltcl_modules */
+	if (pltrusted)
+	{
+		interp = pltcl_safe_interp;
+		if (!pltcl_be_safe_init_done)
+		{
+			pltcl_init_load_unknown(interp);
+			pltcl_be_safe_init_done = true;
+		}
+	}
+	else
+	{
+		interp = pltcl_norm_interp;
+		if (!pltcl_be_norm_init_done)
+		{
+			pltcl_init_load_unknown(interp);
+			pltcl_be_norm_init_done = true;
+		}
+	}
+
+	return interp;
+}
 
 /**********************************************************************
  * pltcl_init_load_unknown()	- Load the unknown procedure from
@@ -395,6 +411,11 @@ pltcl_init_interp(Tcl_Interp *interp)
 static void
 pltcl_init_load_unknown(Tcl_Interp *interp)
 {
+	Relation	pmrel;
+	char	   *pmrelname,
+			   *nspname;
+	char	   *buf;
+	int			buflen;
 	int			spi_rc;
 	int			tcl_rc;
 	Tcl_DString unknown_src;
@@ -404,47 +425,72 @@ pltcl_init_load_unknown(Tcl_Interp *interp)
 
 	/************************************************************
 	 * Check if table pltcl_modules exists
+	 *
+	 * We allow the table to be found anywhere in the search_path.
+	 * This is for backwards compatibility.  To ensure that the table
+	 * is trustworthy, we require it to be owned by a superuser.
 	 ************************************************************/
-	spi_rc = SPI_execute("select 1 from pg_catalog.pg_class "
-						 "where relname = 'pltcl_modules'",
-						 false, 1);
-	SPI_freetuptable(SPI_tuptable);
-	if (spi_rc != SPI_OK_SELECT)
-		elog(ERROR, "select from pg_class failed");
-	if (SPI_processed == 0)
+	pmrel = try_relation_openrv(makeRangeVar(NULL, "pltcl_modules", -1),
+								AccessShareLock);
+	if (pmrel == NULL)
+		return;
+	/* must be table or view, else ignore */
+	if (!(pmrel->rd_rel->relkind == RELKIND_RELATION ||
+		  pmrel->rd_rel->relkind == RELKIND_VIEW))
+	{
+		relation_close(pmrel, AccessShareLock);
+		return;
+	}
+	/* must be owned by superuser, else ignore */
+	if (!superuser_arg(pmrel->rd_rel->relowner))
+	{
+		relation_close(pmrel, AccessShareLock);
 		return;
+	}
+	/* get fully qualified table name for use in select command */
+	nspname = get_namespace_name(RelationGetNamespace(pmrel));
+	if (!nspname)
+		elog(ERROR, "cache lookup failed for namespace %u",
+			 RelationGetNamespace(pmrel));
+	pmrelname = quote_qualified_identifier(nspname,
+										   RelationGetRelationName(pmrel));
 
 	/************************************************************
-	 * Read all the row's from it where modname = 'unknown' in
-	 * the order of modseq
+	 * Read all the rows from it where modname = 'unknown',
+	 * in the order of modseq
 	 ************************************************************/
-	Tcl_DStringInit(&unknown_src);
+	buflen = strlen(pmrelname) + 100;
+	buf = (char *) palloc(buflen);
+	snprintf(buf, buflen,
+			 "select modsrc from %s where modname = 'unknown' order by modseq",
+			 pmrelname);
 
-	spi_rc = SPI_execute("select modseq, modsrc from pltcl_modules "
-						 "where modname = 'unknown' "
-						 "order by modseq",
-						 false, 0);
+	spi_rc = SPI_execute(buf, false, 0);
 	if (spi_rc != SPI_OK_SELECT)
 		elog(ERROR, "select from pltcl_modules failed");
 
+	pfree(buf);
+
 	/************************************************************
 	 * If there's nothing, module unknown doesn't exist
 	 ************************************************************/
 	if (SPI_processed == 0)
 	{
-		Tcl_DStringFree(&unknown_src);
 		SPI_freetuptable(SPI_tuptable);
 		elog(WARNING, "module \"unknown\" not found in pltcl_modules");
+		relation_close(pmrel, AccessShareLock);
 		return;
 	}
 
 	/************************************************************
-	 * There is a module named unknown. Resemble the
+	 * There is a module named unknown. Reassemble the
 	 * source from the modsrc attributes and evaluate
 	 * it in the Tcl interpreter
 	 ************************************************************/
 	fno = SPI_fnumber(SPI_tuptable->tupdesc, "modsrc");
 
+	Tcl_DStringInit(&unknown_src);
+
 	for (i = 0; i < SPI_processed; i++)
 	{
 		part = SPI_getvalue(SPI_tuptable->vals[i],
@@ -458,8 +504,19 @@ pltcl_init_load_unknown(Tcl_Interp *interp)
 		}
 	}
 	tcl_rc = Tcl_GlobalEval(interp, Tcl_DStringValue(&unknown_src));
+
 	Tcl_DStringFree(&unknown_src);
 	SPI_freetuptable(SPI_tuptable);
+
+	if (tcl_rc != TCL_OK)
+	{
+		UTF_BEGIN;
+		elog(ERROR, "could not load module \"unknown\": %s",
+			 UTF_U2E(Tcl_GetStringResult(interp)));
+		UTF_END;
+	}
+
+	relation_close(pmrel, AccessShareLock);
 }
 
 
@@ -480,11 +537,6 @@ pltcl_call_handler(PG_FUNCTION_ARGS)
 	FunctionCallInfo save_fcinfo;
 	pltcl_proc_desc *save_prodesc;
 
-	/*
-	 * Initialize interpreters if first time through
-	 */
-	pltcl_init_all();
-
 	/*
 	 * Ensure that static pointers are saved/restored properly
 	 */
@@ -558,10 +610,7 @@ pltcl_func_handler(PG_FUNCTION_ARGS)
 
 	pltcl_current_prodesc = prodesc;
 
-	if (prodesc->lanpltrusted)
-		interp = pltcl_safe_interp;
-	else
-		interp = pltcl_norm_interp;
+	interp = pltcl_fetch_interp(prodesc->lanpltrusted);
 
 	/************************************************************
 	 * Create the tcl command to call the internal
@@ -719,10 +768,7 @@ pltcl_trigger_handler(PG_FUNCTION_ARGS)
 
 	pltcl_current_prodesc = prodesc;
 
-	if (prodesc->lanpltrusted)
-		interp = pltcl_safe_interp;
-	else
-		interp = pltcl_norm_interp;
+	interp = pltcl_fetch_interp(prodesc->lanpltrusted);
 
 	tupdesc = trigdata->tg_relation->rd_att;
 
@@ -1152,10 +1198,7 @@ compile_pltcl_function(Oid fn_oid, Oid tgreloid)
 		prodesc->lanpltrusted = langStruct->lanpltrusted;
 		ReleaseSysCache(langTup);
 
-		if (prodesc->lanpltrusted)
-			interp = pltcl_safe_interp;
-		else
-			interp = pltcl_norm_interp;
+		interp = pltcl_fetch_interp(prodesc->lanpltrusted);
 
 		/************************************************************
 		 * Get the required information for input conversion of the
