In security-restricted operations, block enqueue of at-commit user code.

Specifically, this blocks DECLARE ... WITH HOLD and firing of deferred
triggers within index expressions and materialized view queries.  An
attacker having permission to create non-temp objects in at least one
schema could execute arbitrary SQL functions under the identity of the
bootstrap superuser.  One can work around the vulnerability by disabling
autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE
INDEX, VACUUM FULL, or REFRESH MATERIALIZED VIEW.  (Don't restore from
pg_dump, since it runs some of those commands.)  Plain VACUUM (without
FULL) is safe, and all commands are fine when a trusted user owns the
target object.  Performance may degrade quickly under this workaround,
however.  Back-patch to 9.5 (all supported versions).

Reviewed by Robert Haas.  Reported by Etienne Stalmans.

Security: CVE-2020-25695

diff --git a/contrib/postgres_fdw/connection.c b/contrib/postgres_fdw/connection.c
index b2305780683d1e6ef1a4911e00065277a54ec4c8..4cc247dbb55eb227419efd8331077a24992ab15d 100644 (file)
--- a/contrib/postgres_fdw/connection.c
+++ b/contrib/postgres_fdw/connection.c
@@ -654,6 +654,10 @@ pgfdw_report_error(int elevel, PGresult *res, PGconn *conn,
 
 /*
  * pgfdw_xact_callback --- cleanup at main-transaction end.
+ *
+ * This runs just late enough that it must not enter user-defined code
+ * locally.  (Entering such code on the remote side is fine.  Its remote
+ * COMMIT TRANSACTION may run deferred triggers.)
  */
 static void
 pgfdw_xact_callback(XactEvent event, void *arg)

diff --git a/src/backend/access/transam/xact.c b/src/backend/access/transam/xact.c
index c2e1222887f9210a5ea18d8f930b1daf22c7b6f9..e75062e0f96e0c7c94e12198e10bbc0c6c21a6c8 100644 (file)
--- a/src/backend/access/transam/xact.c
+++ b/src/backend/access/transam/xact.c
@@ -1990,9 +1990,10 @@ CommitTransaction(void)
 
    /*
     * Do pre-commit processing that involves calling user-defined code, such
-    * as triggers.  Since closing cursors could queue trigger actions,
-    * triggers could open cursors, etc, we have to keep looping until there's
-    * nothing left to do.
+    * as triggers.  SECURITY_RESTRICTED_OPERATION contexts must not queue an
+    * action that would run here, because that would bypass the sandbox.
+    * Since closing cursors could queue trigger actions, triggers could open
+    * cursors, etc, we have to keep looping until there's nothing left to do.
     */
    for (;;)
    {
@@ -2010,9 +2011,6 @@ CommitTransaction(void)
            break;
    }
 
-   CallXactCallbacks(is_parallel_worker ? XACT_EVENT_PARALLEL_PRE_COMMIT
-                     : XACT_EVENT_PRE_COMMIT);
-
    /*
     * The remaining actions cannot call any user-defined code, so it's safe
     * to start shutting down within-transaction services.  But note that most
@@ -2020,6 +2018,9 @@ CommitTransaction(void)
     * the transaction-abort path.
     */
 
+   CallXactCallbacks(is_parallel_worker ? XACT_EVENT_PARALLEL_PRE_COMMIT
+                     : XACT_EVENT_PRE_COMMIT);
+
    /* If we might have parallel workers, clean them up now. */
    if (IsInParallelMode())
        AtEOXact_Parallel(true);

diff --git a/src/backend/commands/portalcmds.c b/src/backend/commands/portalcmds.c
index e52830f7ec2ceebf4f57953f69bda7d3bbddf57f..ff744ecf1a8f2c8fbdd362ed044c92fb0b0be54a 100644 (file)
--- a/src/backend/commands/portalcmds.c
+++ b/src/backend/commands/portalcmds.c
@@ -27,6 +27,7 @@
 #include "commands/portalcmds.h"
 #include "executor/executor.h"
 #include "executor/tstoreReceiver.h"
+#include "miscadmin.h"
 #include "tcop/pquery.h"
 #include "utils/memutils.h"
 #include "utils/snapmgr.h"
@@ -67,6 +68,10 @@ PerformCursorOpen(PlannedStmt *stmt, ParamListInfo params,
     */
    if (!(cstmt->options & CURSOR_OPT_HOLD))
        RequireTransactionChain(isTopLevel, "DECLARE CURSOR");
+   else if (InSecurityRestrictedOperation())
+       ereport(ERROR,
+               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+                errmsg("cannot create a cursor WITH HOLD within security-restricted operation")));
 
    /*
     * Create a portal and copy the plan and queryString into its memory.

diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c
index ae0aa2cde69b75d98e35c31dce555443569123d6..9638fb0a016c82f3d244b94296dfc91f2fba0261 100644 (file)
--- a/src/backend/commands/trigger.c
+++ b/src/backend/commands/trigger.c
@@ -3701,6 +3701,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
                       bool immediate_only)
 {
    bool        found = false;
+   bool        deferred_found = false;
    AfterTriggerEvent event;
    AfterTriggerEventChunk *chunk;
 
@@ -3736,6 +3737,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
         */
        if (defer_it && move_list != NULL)
        {
+           deferred_found = true;
            /* add it to move_list */
            afterTriggerAddEvent(move_list, event, evtshared);
            /* mark original copy "done" so we don't do it again */
@@ -3743,6 +3745,16 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
        }
    }
 
+   /*
+    * We could allow deferred triggers if, before the end of the
+    * security-restricted operation, we were to verify that a SET CONSTRAINTS
+    * ... IMMEDIATE has fired all such triggers.  For now, don't bother.
+    */
+   if (deferred_found && InSecurityRestrictedOperation())
+       ereport(ERROR,
+               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+                errmsg("cannot fire deferred trigger within security-restricted operation")));
+
    return found;
 }
 

diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index b46af7c5e6a395153499726b1a5d31d6338fde7e..ce972b40d4a7e97390879483bab10247e2a34723 100644 (file)
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -1234,6 +1234,48 @@ SELECT has_table_privilege('regress_user1', 'atest4', 'SELECT WITH GRANT OPTION'
  t
 (1 row)
 
+-- security-restricted operations
+\c -
+CREATE ROLE regress_sro_user;
+SET SESSION AUTHORIZATION regress_sro_user;
+CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+   'GRANT regress_group2 TO regress_sro_user';
+CREATE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
+   'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';
+-- REFRESH of this MV will queue a GRANT at end of transaction
+CREATE MATERIALIZED VIEW sro_mv AS SELECT mv_action() WITH NO DATA;
+REFRESH MATERIALIZED VIEW sro_mv;
+ERROR:  cannot create a cursor WITH HOLD within security-restricted operation
+CONTEXT:  SQL function "mv_action" statement 1
+\c -
+REFRESH MATERIALIZED VIEW sro_mv;
+ERROR:  cannot create a cursor WITH HOLD within security-restricted operation
+CONTEXT:  SQL function "mv_action" statement 1
+SET SESSION AUTHORIZATION regress_sro_user;
+-- INSERT to this table will queue a GRANT at end of transaction
+CREATE TABLE sro_trojan_table ();
+CREATE FUNCTION sro_trojan() RETURNS trigger LANGUAGE plpgsql AS
+   'BEGIN PERFORM unwanted_grant(); RETURN NULL; END';
+CREATE CONSTRAINT TRIGGER t AFTER INSERT ON sro_trojan_table
+    INITIALLY DEFERRED FOR EACH ROW EXECUTE PROCEDURE sro_trojan();
+-- Now, REFRESH will issue such an INSERT, queueing the GRANT
+CREATE OR REPLACE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
+   'INSERT INTO sro_trojan_table DEFAULT VALUES; SELECT true';
+REFRESH MATERIALIZED VIEW sro_mv;
+ERROR:  cannot fire deferred trigger within security-restricted operation
+CONTEXT:  SQL function "mv_action" statement 1
+\c -
+REFRESH MATERIALIZED VIEW sro_mv;
+ERROR:  cannot fire deferred trigger within security-restricted operation
+CONTEXT:  SQL function "mv_action" statement 1
+BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
+ERROR:  must have admin option on role "regress_group2"
+CONTEXT:  SQL function "unwanted_grant" statement 1
+SQL statement "SELECT unwanted_grant()"
+PL/pgSQL function sro_trojan() line 1 at PERFORM
+SQL function "mv_action" statement 1
+DROP OWNED BY regress_sro_user;
+DROP ROLE regress_sro_user;
 -- Admin options
 SET SESSION AUTHORIZATION regress_user4;
 CREATE FUNCTION dogrant_ok() RETURNS void LANGUAGE sql SECURITY DEFINER AS

diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c7d7347091b5e5fcecfeb063c44fd36b2bef4cf2..d285f6198cf9b4f0c8b5cb4fe3bf6a7a7c21941e 100644 (file)
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -752,6 +752,40 @@ SELECT has_table_privilege('regress_user3', 'atest4', 'SELECT'); -- false
 SELECT has_table_privilege('regress_user1', 'atest4', 'SELECT WITH GRANT OPTION'); -- true
 
 
+-- security-restricted operations
+\c -
+CREATE ROLE regress_sro_user;
+
+SET SESSION AUTHORIZATION regress_sro_user;
+CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
+   'GRANT regress_group2 TO regress_sro_user';
+CREATE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
+   'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';
+-- REFRESH of this MV will queue a GRANT at end of transaction
+CREATE MATERIALIZED VIEW sro_mv AS SELECT mv_action() WITH NO DATA;
+REFRESH MATERIALIZED VIEW sro_mv;
+\c -
+REFRESH MATERIALIZED VIEW sro_mv;
+
+SET SESSION AUTHORIZATION regress_sro_user;
+-- INSERT to this table will queue a GRANT at end of transaction
+CREATE TABLE sro_trojan_table ();
+CREATE FUNCTION sro_trojan() RETURNS trigger LANGUAGE plpgsql AS
+   'BEGIN PERFORM unwanted_grant(); RETURN NULL; END';
+CREATE CONSTRAINT TRIGGER t AFTER INSERT ON sro_trojan_table
+    INITIALLY DEFERRED FOR EACH ROW EXECUTE PROCEDURE sro_trojan();
+-- Now, REFRESH will issue such an INSERT, queueing the GRANT
+CREATE OR REPLACE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
+   'INSERT INTO sro_trojan_table DEFAULT VALUES; SELECT true';
+REFRESH MATERIALIZED VIEW sro_mv;
+\c -
+REFRESH MATERIALIZED VIEW sro_mv;
+BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
+
+DROP OWNED BY regress_sro_user;
+DROP ROLE regress_sro_user;
+
+
 -- Admin options
 
 SET SESSION AUTHORIZATION regress_user4;