From 448776815764803e5c25288b43011b3fcce76c99 Mon Sep 17 00:00:00 2001 From: Alexander Korotkov Date: Sat, 10 Aug 2024 16:19:28 +0300 Subject: [PATCH v2] Avoid repeated table name lookups in createPartitionTable() Currently, createPartitionTable() opens newly created table using its name. This approach is prone to privilege escalation attack, because we might end up opening another table than we just created. This commit address the issue above by opening newly created table by its oid. It appears to be tricky to get a relation oid out of ProcessUtility(). We have to extend TableLikeClause with new newRelationOid field, which is filled within ProcessUtility() to be further accessed by caller. Security: CVE-2014-0062 Reported-by: Noah Misch Discussion: https://postgr.es/m/20240808171351.a9.nmisch%40google.com Reviewed-by: Dmitry Koval --- src/backend/commands/tablecmds.c | 2 +- src/backend/tcop/utility.c | 6 ++++++ src/include/nodes/parsenodes.h | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 7a36db6af6d..8719b4bf291 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -20403,7 +20403,7 @@ createPartitionTable(RangeVar *newPartName, Relation modelRel, * Open the new partition with no lock, because we already have * AccessExclusiveLock placed there after creation. */ - newRel = table_openrv(newPartName, NoLock); + newRel = table_open(tlc->newRelationOid, NoLock); /* * We intended to create the partition with the same persistence as the diff --git a/src/backend/tcop/utility.c b/src/backend/tcop/utility.c index b2ea8125c92..26a30bfdd56 100644 --- a/src/backend/tcop/utility.c +++ b/src/backend/tcop/utility.c @@ -1225,6 +1225,12 @@ ProcessUtilitySlow(ParseState *pstate, morestmts = expandTableLikeClause(table_rv, like); stmts = list_concat(morestmts, stmts); + + /* + * Put the Oid of newly created relation to the + * TableLikeClause, so caller might use it. + */ + like->newRelationOid = address.objectId; } else { diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h index 85a62b538e5..577c4bfef76 100644 --- a/src/include/nodes/parsenodes.h +++ b/src/include/nodes/parsenodes.h @@ -754,6 +754,7 @@ typedef struct TableLikeClause RangeVar *relation; bits32 options; /* OR of TableLikeOption flags */ Oid relationOid; /* If table has been looked up, its OID */ + Oid newRelationOid; /* OID of newly created table */ } TableLikeClause; typedef enum TableLikeOption -- 2.39.3 (Apple Git-146)