Merge branch 'REL9_5_STABLE' into PGPRO9_5

vbwagner · vbwagner · commit a793c144eba1 · 2016-03-28T19:32:58.000+03:00
diff --git a/contrib/pageinspect/brinfuncs.c b/contrib/pageinspect/brinfuncs.c
@@ -46,8 +46,23 @@ brin_page_type(PG_FUNCTION_ARGS)
 {
 	bytea	   *raw_page = PG_GETARG_BYTEA_P(0);
 	Page		page = VARDATA(raw_page);
+	int			raw_page_size;
 	char	   *type;
 
+	if (!superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 (errmsg("must be superuser to use raw page functions"))));
+
+	raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
+
+	if (raw_page_size != BLCKSZ)
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+				 errmsg("input page too small"),
+				 errdetail("Expected size %d, got %d",
+						   BLCKSZ, raw_page_size)));
+
 	switch (BrinPageType(page))
 	{
 		case BRIN_PAGETYPE_META:
@@ -79,11 +94,12 @@ verify_brin_page(bytea *raw_page, uint16 type, const char *strtype)
 
 	raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
 
-	if (raw_page_size < SizeOfPageHeaderData)
+	if (raw_page_size != BLCKSZ)
 		ereport(ERROR,
 				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 				 errmsg("input page too small"),
-			  errdetail("Expected size %d, got %d", raw_page_size, BLCKSZ)));
+				 errdetail("Expected size %d, got %d",
+						   BLCKSZ, raw_page_size)));
 
 	page = VARDATA(raw_page);
 
@@ -316,6 +332,11 @@ brin_metapage_info(PG_FUNCTION_ARGS)
 	bool		nulls[4];
 	HeapTuple	htup;
 
+	if (!superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 (errmsg("must be superuser to use raw page functions"))));
+
 	page = verify_brin_page(raw_page, BRIN_PAGETYPE_META, "metapage");
 
 	/* Build a tuple descriptor for our result type */
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
@@ -77,6 +77,49 @@ Branch: REL9_5_STABLE [8aa6e9780] 2016-03-23 16:04:35 -0400
      </para>
     </listitem>
 
+<!--
+Author: Stephen Frost <sfrost@snowman.net>
+Branch: master [86ebf30fd] 2016-03-28 09:03:20 -0400
+Branch: REL9_5_STABLE [db69e58a0] 2016-03-28 09:03:41 -0400
+-->
+
+    <listitem>
+     <para>
+      Maintain row-security status properly in cached plans (Stephen Frost)
+     </para>
+
+     <para>
+      In a session that performs queries as more than one role, the plan
+      cache might incorrectly re-use a plan that was generated for another
+      role ID, thus possibly applying the wrong set of policies when
+      row-level security (RLS) is in use.
+      (CVE-2016-2193)
+     </para>
+    </listitem>
+
+<!--
+Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
+Branch: master [3e1338475] 2016-03-28 10:57:42 -0300
+Branch: REL9_5_STABLE [bf78a6f10] 2016-03-28 10:57:46 -0300
+-->
+
+    <listitem>
+     <para>
+      Add must-be-superuser checks to some
+      new <filename>contrib/pageinspect</> functions (Andreas Seltenreich)
+     </para>
+
+     <para>
+      Most functions in the <filename>pageinspect</> extension that
+      inspect <type>bytea</> values disallow calls by non-superusers,
+      but <function>brin_page_type()</> and <function>brin_metapage_info()</>
+      failed to do so.  Passing contrived <type>bytea</> values to them might
+      crash the server or disclose a few bytes of server memory.  Add the
+      missing permissions checks to prevent misuse.
+      (CVE-2016-3065)
+     </para>
+    </listitem>
+
 <!--
 Author: Simon Riggs <simon@2ndQuadrant.com>
 Branch: master [c7111d11b] 2016-03-03 09:53:43 +0000
diff --git a/src/backend/utils/cache/plancache.c b/src/backend/utils/cache/plancache.c
@@ -16,7 +16,8 @@
  * if it has one.  When (and if) the next demand for a cached plan occurs,
  * parse analysis and rewrite is repeated to build a new valid query tree,
  * and then planning is performed as normal.  We also force re-analysis and
- * re-planning if the active search_path is different from the previous time.
+ * re-planning if the active search_path is different from the previous time
+ * or, if RLS is involved, if the user changes or the RLS environment changes.
  *
  * Note that if the sinval was a result of user DDL actions, parse analysis
  * could throw an error, for example if a column referenced by the query is
@@ -204,8 +205,8 @@ CreateCachedPlan(Node *raw_parse_tree,
 	plansource->total_custom_cost = 0;
 	plansource->num_custom_plans = 0;
 	plansource->hasRowSecurity = false;
-	plansource->row_security_env = row_security;
 	plansource->planUserId = InvalidOid;
+	plansource->row_security_env = false;
 
 	MemoryContextSwitchTo(oldcxt);
 
@@ -271,6 +272,8 @@ CreateOneShotCachedPlan(Node *raw_parse_tree,
 	plansource->generic_cost = -1;
 	plansource->total_custom_cost = 0;
 	plansource->num_custom_plans = 0;
+	plansource->planUserId = InvalidOid;
+	plansource->row_security_env = false;
 
 	return plansource;
 }
@@ -409,6 +412,8 @@ CompleteCachedPlan(CachedPlanSource *plansource,
 	plansource->cursor_options = cursor_options;
 	plansource->fixed_result = fixed_result;
 	plansource->resultDesc = PlanCacheComputeResultDesc(querytree_list);
+	plansource->planUserId = GetUserId();
+	plansource->row_security_env = row_security;
 
 	MemoryContextSwitchTo(oldcxt);
 
@@ -571,24 +576,15 @@ RevalidateCachedQuery(CachedPlanSource *plansource)
 		return NIL;
 	}
 
-	/*
-	 * If this is a new cached plan, then set the user id it was planned by
-	 * and under what row security settings; these are needed to determine
-	 * plan invalidation when RLS is involved.
-	 */
-	if (!OidIsValid(plansource->planUserId))
-	{
-		plansource->planUserId = GetUserId();
-		plansource->row_security_env = row_security;
-	}
-
 	/*
 	 * If the query is currently valid, we should have a saved search_path ---
 	 * check to see if that matches the current environment.  If not, we want
-	 * to force replan.
+	 * to force replan.  We should also have a valid planUserId.
 	 */
 	if (plansource->is_valid)
 	{
+		Assert(OidIsValid(plansource->planUserId));
+
 		Assert(plansource->search_path != NULL);
 		if (!OverrideSearchPathMatchesCurrent(plansource->search_path))
 		{
@@ -643,6 +639,14 @@ RevalidateCachedQuery(CachedPlanSource *plansource)
 	plansource->invalItems = NIL;
 	plansource->search_path = NULL;
 
+	/*
+	 * The plan is invalid, possibly due to row security, so we need to reset
+	 * row_security_env and planUserId as we're about to re-plan with the
+	 * current settings.
+	 */
+	plansource->row_security_env = row_security;
+	plansource->planUserId = GetUserId();
+
 	/*
 	 * Free the query_context.  We don't really expect MemoryContextDelete to
 	 * fail, but just in case, make sure the CachedPlanSource is left in a
@@ -1380,6 +1384,14 @@ CopyCachedPlan(CachedPlanSource *plansource)
 	newsource->total_custom_cost = plansource->total_custom_cost;
 	newsource->num_custom_plans = plansource->num_custom_plans;
 
+	/*
+	 * Copy over the user the query was planned as, and under what RLS
+	 * environment.  We will check during RevalidateCachedQuery() if the user
+	 * or environment has changed and, if so, will force a re-plan.
+	 */
+	newsource->planUserId = plansource->planUserId;
+	newsource->row_security_env = plansource->row_security_env;
+
 	MemoryContextSwitchTo(oldcxt);
 
 	return newsource;
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
@@ -2334,23 +2334,37 @@ GRANT SELECT ON t1 TO rls_regress_user1, rls_regress_user2;
 CREATE POLICY p1 ON t1 TO rls_regress_user1 USING ((a % 2) = 0);
 CREATE POLICY p2 ON t1 TO rls_regress_user2 USING ((a % 4) = 0);
 ALTER TABLE t1 ENABLE ROW LEVEL SECURITY;
+-- Prepare as rls_regress_user1
 SET ROLE rls_regress_user1;
 PREPARE role_inval AS SELECT * FROM t1;
+-- Check plan
 EXPLAIN (COSTS OFF) EXECUTE role_inval;
        QUERY PLAN        
 -------------------------
  Seq Scan on t1
    Filter: ((a % 2) = 0)
 (2 rows)
 
+-- Change to rls_regress_user2
 SET ROLE rls_regress_user2;
+-- Check plan- should be different
 EXPLAIN (COSTS OFF) EXECUTE role_inval;
        QUERY PLAN        
 -------------------------
  Seq Scan on t1
    Filter: ((a % 4) = 0)
 (2 rows)
 
+-- Change back to rls_regress_user1
+SET ROLE rls_regress_user1;
+-- Check plan- should be back to original
+EXPLAIN (COSTS OFF) EXECUTE role_inval;
+       QUERY PLAN        
+-------------------------
+ Seq Scan on t1
+   Filter: ((a % 2) = 0)
+(2 rows)
+
 --
 -- CTE and RLS
 --
diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
@@ -852,11 +852,20 @@ CREATE POLICY p2 ON t1 TO rls_regress_user2 USING ((a % 4) = 0);
 
 ALTER TABLE t1 ENABLE ROW LEVEL SECURITY;
 
+-- Prepare as rls_regress_user1
 SET ROLE rls_regress_user1;
 PREPARE role_inval AS SELECT * FROM t1;
+-- Check plan
 EXPLAIN (COSTS OFF) EXECUTE role_inval;
 
+-- Change to rls_regress_user2
 SET ROLE rls_regress_user2;
+-- Check plan- should be different
+EXPLAIN (COSTS OFF) EXECUTE role_inval;
+
+-- Change back to rls_regress_user1
+SET ROLE rls_regress_user1;
+-- Check plan- should be back to original
 EXPLAIN (COSTS OFF) EXECUTE role_inval;
 
 --
