Avoid repeated table name lookups in createPartitionTable()

akorotkov · akorotkov · commit 04158e7fa37c · 2024-08-22T09:50:48.000+03:00
Currently, createPartitionTable() opens newly created table using its name. This approach is prone to privilege escalation attack, because we might end up opening another table than we just created. This commit address the issue above by opening newly created table by its OID. It appears to be tricky to get a relation OID out of ProcessUtility(). We have to extend TableLikeClause with new newRelationOid field, which is filled within ProcessUtility() to be further accessed by caller. Security: CVE-2014-0062 Reported-by: Noah Misch Discussion: https://postgr.es/m/20240808171351.a9.nmisch%40google.com Reviewed-by: Pavel Borisov, Dmitry Koval
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
@@ -20383,6 +20383,7 @@ createPartitionTable(RangeVar *newPartName, Relation modelRel,
 	tlc->options = CREATE_TABLE_LIKE_ALL &
 		~(CREATE_TABLE_LIKE_INDEXES | CREATE_TABLE_LIKE_IDENTITY | CREATE_TABLE_LIKE_STATISTICS);
 	tlc->relationOid = InvalidOid;
+	tlc->newRelationOid = InvalidOid;
 	createStmt->tableElts = lappend(createStmt->tableElts, tlc);
 
 	/* Need to make a wrapper PlannedStmt. */
@@ -20406,7 +20407,7 @@ createPartitionTable(RangeVar *newPartName, Relation modelRel,
 	 * Open the new partition with no lock, because we already have
 	 * AccessExclusiveLock placed there after creation.
 	 */
-	newRel = table_openrv(newPartName, NoLock);
+	newRel = table_open(tlc->newRelationOid, NoLock);
 
 	/*
 	 * We intended to create the partition with the same persistence as the
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
@@ -4138,6 +4138,7 @@ TableLikeClause:
 					n->relation = $2;
 					n->options = $3;
 					n->relationOid = InvalidOid;
+					n->newRelationOid = InvalidOid;
 					$$ = (Node *) n;
 				}
 		;
diff --git a/src/backend/tcop/utility.c b/src/backend/tcop/utility.c
@@ -1225,6 +1225,12 @@ ProcessUtilitySlow(ParseState *pstate,
 
 							morestmts = expandTableLikeClause(table_rv, like);
 							stmts = list_concat(morestmts, stmts);
+
+							/*
+							 * Store the OID of newly created relation to the
+							 * TableLikeClause for the caller to use it.
+							 */
+							like->newRelationOid = address.objectId;
 						}
 						else
 						{
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
@@ -754,6 +754,7 @@ typedef struct TableLikeClause
 	RangeVar   *relation;
 	bits32		options;		/* OR of TableLikeOption flags */
 	Oid			relationOid;	/* If table has been looked up, its OID */
+	Oid			newRelationOid; /* OID of newly created table */
 } TableLikeClause;
 
 typedef enum TableLikeOption

Original file line number	Diff line number	Diff line change
`@@ -4138,6 +4138,7 @@ TableLikeClause:`
`4138`	`4138`	`n->relation = $2;`
`4139`	`4139`	`n->options = $3;`
`4140`	`4140`	`n->relationOid = InvalidOid;`
	`4141`	`+ n->newRelationOid = InvalidOid;`
`4141`	`4142`	`$$ = (Node *) n;`
`4142`	`4143`	`}`
`4143`	`4144`	`;`
Original file line number	Diff line number	Diff line change
`@@ -1225,6 +1225,12 @@ ProcessUtilitySlow(ParseState *pstate,`
`1225`	`1225`
`1226`	`1226`	`morestmts = expandTableLikeClause(table_rv, like);`
`1227`	`1227`	`stmts = list_concat(morestmts, stmts);`
	`1228`	`+`
	`1229`	`+ /*`
	`1230`	`+ * Store the OID of newly created relation to the`
	`1231`	`+ * TableLikeClause for the caller to use it.`
	`1232`	`+ */`
	`1233`	`+ like->newRelationOid = address.objectId;`
`1228`	`1234`	`}`
`1229`	`1235`	`else`
`1230`	`1236`	`{`