From 56d30fb10d5ce5e2d8b432eeaca8ecf2fc2a6900 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 30 Apr 2024 15:22:56 -0400 Subject: [PATCH] Disallow converting a table to a view within an outer SQL command. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have long disallowed all forms of ALTER TABLE if the table is already opened by some outer SQL command in the same session. This has the same purpose as obtaining AccessExclusiveLock, but since a session's own locks don't conflict the lock only blocks use of the table by other sessions, not our own. Without this check, the ALTER might confuse the outer SQL command since any previous inspection of the table would potentially become invalid. However, the RelisBecomingView code path in DefineQueryRewrite never got that memo, and assumed that AccessExclusiveLock is sufficient for performing something morally equivalent to a rather invasive ALTER TABLE. Unsurprisingly, this can confuse an outer command that is trying to do something with the table. This was submitted as a security issue, but the security team has been unable to identify any consequence worse than a null pointer dereference (from trying to access rd_tableam methods that the relation no longer has). Therefore, in accordance with our usual policy, it's not security material and should just be fixed as a routine bug. Fix by disallowing the operation if the table is open locally, exactly as ALTER TABLE does it. Per an anonymous security researcher, via Bundesamt für Sicherheit in der Informationstechnik. Patch v12-v15 only. In v16 and later, we removed this code altogether (cf. commit b23cd185f), so that there's no issue. --- src/backend/rewrite/rewriteDefine.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/backend/rewrite/rewriteDefine.c b/src/backend/rewrite/rewriteDefine.c index 62c46e4384..cf6c47b596 100644 --- a/src/backend/rewrite/rewriteDefine.c +++ b/src/backend/rewrite/rewriteDefine.c @@ -30,6 +30,7 @@ #include "catalog/pg_rewrite.h" #include "catalog/storage.h" #include "commands/policy.h" +#include "commands/tablecmds.h" #include "miscadmin.h" #include "nodes/nodeFuncs.h" #include "parser/parse_utilcmd.h" @@ -422,6 +423,9 @@ DefineQueryRewrite(const char *rulename, * whole business of converting relations to views is just an obsolete * kluge to allow dump/reload of views that participate in circular * dependencies.) + * + * Also ensure the relation isn't being manipulated in any outer SQL + * command of our own session. */ if (event_relation->rd_rel->relkind != RELKIND_VIEW && event_relation->rd_rel->relkind != RELKIND_MATVIEW) @@ -430,6 +434,8 @@ DefineQueryRewrite(const char *rulename, Snapshot snapshot; TupleTableSlot *slot; + CheckTableNotInUse(event_relation, "CREATE RULE"); + if (event_relation->rd_rel->relkind == RELKIND_PARTITIONED_TABLE) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE),