diff options
author | Yogita Urade <yogita.urade@windriver.com> | 2023-11-29 07:18:31 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-12-13 13:35:51 -0500 |
commit | 1117be8983eb2441ee9721abd7665cc071c38c70 (patch) | |
tree | 2bf00751cf4fd6b16e5514d6e1e40f4e3c04be23 | |
parent | 3fdd2602091966f3e928243cd4bb632107618fb6 (diff) | |
download | meta-openembedded-1117be8983eb2441ee9721abd7665cc071c38c70.tar.gz |
postgresql: fix CVE-2023-5868 CVE-2023-5869 CVE-2023-5870
CVE-2023-5868:
postgresql: Compute aggregate argument types correctly in
transformAggregateCall()
CVE-2023-5869:
postgresql: Detect integer overflow while computing new
array dimensions
CVE-2023-5870:
postgresql: Ban role pg_signal_backend from more superuser
backend types.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5868
https://nvd.nist.gov/vuln/detail/CVE-2023-5869
https://nvd.nist.gov/vuln/detail/CVE-2023-5870
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 530 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch new file mode 100644 index 000000000..50953f49b --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From 3b0776fde56763c549df35ce9750f3399bc710b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Tue, 21 Nov 2023 11:37:27 +0000 | ||
4 | Subject: [PATCH] Compute aggregate argument types correctly in | ||
5 | |||
6 | transformAggregateCall(). | ||
7 | |||
8 | transformAggregateCall() captures the datatypes of the aggregate's | ||
9 | arguments immediately to construct the Aggref.aggargtypes list. | ||
10 | This seems reasonable because the arguments have already been | ||
11 | transformed --- but there is an edge case where they haven't been. | ||
12 | Specifically, if we have an unknown-type literal in an ANY argument | ||
13 | position, nothing will have been done with it earlier. But if we | ||
14 | also have DISTINCT, then addTargetToGroupList() converts the literal | ||
15 | to "text" type, resulting in the aggargtypes list not matching the | ||
16 | actual runtime type of the argument. The end result is that the | ||
17 | aggregate tries to interpret a "text" value as being of type | ||
18 | "unknown", that is a zero-terminated C string. If the text value | ||
19 | contains no zero bytes, this could result in disclosure of server | ||
20 | memory following the text literal value. | ||
21 | |||
22 | To fix, move the collection of the aggargtypes list to the end | ||
23 | of transformAggregateCall(), after DISTINCT has been handled. | ||
24 | This requires slightly more code, but not a great deal. | ||
25 | |||
26 | Our thanks to Jingzhou Fu for reporting this problem. | ||
27 | |||
28 | Security: CVE-2023-5868 | ||
29 | |||
30 | CVE: CVE-2023-5868 | ||
31 | Upstream-Status: Backport [https://github.com/postgres/postgres/commit/3b0776fde56763c549df35ce9750f3399bc710b2] | ||
32 | |||
33 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
34 | |||
35 | --- | ||
36 | src/backend/parser/parse_agg.c | 35 +++++++++++++++++++---------- | ||
37 | src/test/regress/expected/jsonb.out | 7 ++++++ | ||
38 | src/test/regress/sql/jsonb.sql | 3 +++ | ||
39 | 3 files changed, 33 insertions(+), 12 deletions(-) | ||
40 | |||
41 | diff --git a/src/backend/parser/parse_agg.c b/src/backend/parser/parse_agg.c | ||
42 | index 828cd99..90cf150 100644 | ||
43 | --- a/src/backend/parser/parse_agg.c | ||
44 | +++ b/src/backend/parser/parse_agg.c | ||
45 | @@ -110,18 +110,6 @@ transformAggregateCall(ParseState *pstate, Aggref *agg, | ||
46 | int save_next_resno; | ||
47 | ListCell *lc; | ||
48 | |||
49 | - /* | ||
50 | - * Before separating the args into direct and aggregated args, make a list | ||
51 | - * of their data type OIDs for use later. | ||
52 | - */ | ||
53 | - foreach(lc, args) | ||
54 | - { | ||
55 | - Expr *arg = (Expr *) lfirst(lc); | ||
56 | - | ||
57 | - argtypes = lappend_oid(argtypes, exprType((Node *) arg)); | ||
58 | - } | ||
59 | - agg->aggargtypes = argtypes; | ||
60 | - | ||
61 | if (AGGKIND_IS_ORDERED_SET(agg->aggkind)) | ||
62 | { | ||
63 | /* | ||
64 | @@ -233,6 +221,29 @@ transformAggregateCall(ParseState *pstate, Aggref *agg, | ||
65 | agg->aggorder = torder; | ||
66 | agg->aggdistinct = tdistinct; | ||
67 | |||
68 | + /* | ||
69 | + * Now build the aggargtypes list with the type OIDs of the direct and | ||
70 | + * aggregated args, ignoring any resjunk entries that might have been | ||
71 | + * added by ORDER BY/DISTINCT processing. We can't do this earlier | ||
72 | + * because said processing can modify some args' data types, in particular | ||
73 | + * by resolving previously-unresolved "unknown" literals. | ||
74 | + */ | ||
75 | + foreach(lc, agg->aggdirectargs) | ||
76 | + { | ||
77 | + Expr *arg = (Expr *) lfirst(lc); | ||
78 | + | ||
79 | + argtypes = lappend_oid(argtypes, exprType((Node *) arg)); | ||
80 | + } | ||
81 | + foreach(lc, tlist) | ||
82 | + { | ||
83 | + TargetEntry *tle = (TargetEntry *) lfirst(lc); | ||
84 | + | ||
85 | + if (tle->resjunk) | ||
86 | + continue; /* ignore junk */ | ||
87 | + argtypes = lappend_oid(argtypes, exprType((Node *) tle->expr)); | ||
88 | + } | ||
89 | + agg->aggargtypes = argtypes; | ||
90 | + | ||
91 | check_agglevels_and_constraints(pstate, (Node *) agg); | ||
92 | } | ||
93 | |||
94 | diff --git a/src/test/regress/expected/jsonb.out b/src/test/regress/expected/jsonb.out | ||
95 | index bec355d..eb7f410 100644 | ||
96 | --- a/src/test/regress/expected/jsonb.out | ||
97 | +++ b/src/test/regress/expected/jsonb.out | ||
98 | @@ -1558,6 +1558,13 @@ SELECT jsonb_object_agg(name, type) FROM foo; | ||
99 | INSERT INTO foo VALUES (999999, NULL, 'bar'); | ||
100 | SELECT jsonb_object_agg(name, type) FROM foo; | ||
101 | ERROR: field name must not be null | ||
102 | +-- edge case for parser | ||
103 | +SELECT jsonb_object_agg(DISTINCT 'a', 'abc'); | ||
104 | + jsonb_object_agg | ||
105 | +------------------ | ||
106 | + {"a": "abc"} | ||
107 | +(1 row) | ||
108 | + | ||
109 | -- jsonb_object | ||
110 | -- empty object, one dimension | ||
111 | SELECT jsonb_object('{}'); | ||
112 | diff --git a/src/test/regress/sql/jsonb.sql b/src/test/regress/sql/jsonb.sql | ||
113 | index f8d5960..040e1ba 100644 | ||
114 | --- a/src/test/regress/sql/jsonb.sql | ||
115 | +++ b/src/test/regress/sql/jsonb.sql | ||
116 | @@ -397,6 +397,9 @@ SELECT jsonb_object_agg(name, type) FROM foo; | ||
117 | INSERT INTO foo VALUES (999999, NULL, 'bar'); | ||
118 | SELECT jsonb_object_agg(name, type) FROM foo; | ||
119 | |||
120 | +-- edge case for parser | ||
121 | +SELECT jsonb_object_agg(DISTINCT 'a', 'abc'); | ||
122 | + | ||
123 | -- jsonb_object | ||
124 | |||
125 | -- empty object, one dimension | ||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch new file mode 100644 index 000000000..cef2ab225 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch | |||
@@ -0,0 +1,294 @@ | |||
1 | From 18b585155a891784ca8985f595ebc0dde94e0d43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Tue, 21 Nov 2023 11:43:00 +0000 | ||
4 | Subject: [PATCH] Detect integer overflow while computing new array dimensions. | ||
5 | |||
6 | array_set_element() and related functions allow an array to be | ||
7 | enlarged by assigning to subscripts outside the current array bounds. | ||
8 | While these places were careful to check that the new bounds are | ||
9 | allowable, they neglected to consider the risk of integer overflow | ||
10 | in computing the new bounds. In edge cases, we could compute new | ||
11 | bounds that are invalid but get past the subsequent checks, | ||
12 | allowing bad things to happen. Memory stomps that are potentially | ||
13 | exploitable for arbitrary code execution are possible, and so is | ||
14 | disclosure of server memory. | ||
15 | |||
16 | To fix, perform the hazardous computations using overflow-detecting | ||
17 | arithmetic routines, which fortunately exist in all still-supported | ||
18 | branches. | ||
19 | |||
20 | The test cases added for this generate (after patching) errors that | ||
21 | mention the value of MaxArraySize, which is platform-dependent. | ||
22 | Rather than introduce multiple expected-files, use psql's VERBOSITY | ||
23 | parameter to suppress the printing of the message text. v11 psql | ||
24 | lacks that parameter, so omit the tests in that branch. | ||
25 | |||
26 | Our thanks to Pedro Gallegos for reporting this problem. | ||
27 | |||
28 | Security: CVE-2023-5869 | ||
29 | |||
30 | CVE: CVE-2023-5869 | ||
31 | Upstream-Status: Backport [https://github.com/postgres/postgres/commit/18b585155a891784ca8985f595ebc0dde94e0d43] | ||
32 | |||
33 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
34 | |||
35 | --- | ||
36 | src/backend/utils/adt/arrayfuncs.c | 85 ++++++++++++++++++++++------ | ||
37 | src/backend/utils/adt/arrayutils.c | 6 -- | ||
38 | src/include/utils/array.h | 7 +++ | ||
39 | src/test/regress/expected/arrays.out | 17 ++++++ | ||
40 | src/test/regress/sql/arrays.sql | 19 +++++++ | ||
41 | 5 files changed, 110 insertions(+), 24 deletions(-) | ||
42 | |||
43 | diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c | ||
44 | index 949737d..0071f7d 100644 | ||
45 | --- a/src/backend/utils/adt/arrayfuncs.c | ||
46 | +++ b/src/backend/utils/adt/arrayfuncs.c | ||
47 | @@ -19,6 +19,7 @@ | ||
48 | |||
49 | #include "access/htup_details.h" | ||
50 | #include "catalog/pg_type.h" | ||
51 | +#include "common/int.h" | ||
52 | #include "funcapi.h" | ||
53 | #include "libpq/pqformat.h" | ||
54 | #include "nodes/nodeFuncs.h" | ||
55 | @@ -2334,22 +2335,38 @@ array_set_element(Datum arraydatum, | ||
56 | addedbefore = addedafter = 0; | ||
57 | |||
58 | /* | ||
59 | - * Check subscripts | ||
60 | + * Check subscripts. We assume the existing subscripts passed | ||
61 | + * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without | ||
62 | + * overflow. But we must beware of other overflows in our calculations of | ||
63 | + * new dim[] values. | ||
64 | */ | ||
65 | if (ndim == 1) | ||
66 | { | ||
67 | if (indx[0] < lb[0]) | ||
68 | { | ||
69 | - addedbefore = lb[0] - indx[0]; | ||
70 | - dim[0] += addedbefore; | ||
71 | + /* addedbefore = lb[0] - indx[0]; */ | ||
72 | + /* dim[0] += addedbefore; */ | ||
73 | + if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) || | ||
74 | + pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) | ||
75 | + ereport(ERROR, | ||
76 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
77 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
78 | + (int) MaxArraySize))); | ||
79 | lb[0] = indx[0]; | ||
80 | if (addedbefore > 1) | ||
81 | newhasnulls = true; /* will insert nulls */ | ||
82 | } | ||
83 | if (indx[0] >= (dim[0] + lb[0])) | ||
84 | { | ||
85 | - addedafter = indx[0] - (dim[0] + lb[0]) + 1; | ||
86 | - dim[0] += addedafter; | ||
87 | + /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */ | ||
88 | + /* dim[0] += addedafter; */ | ||
89 | + if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) || | ||
90 | + pg_add_s32_overflow(addedafter, 1, &addedafter) || | ||
91 | + pg_add_s32_overflow(dim[0], addedafter, &dim[0])) | ||
92 | + ereport(ERROR, | ||
93 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
94 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
95 | + (int) MaxArraySize))); | ||
96 | if (addedafter > 1) | ||
97 | newhasnulls = true; /* will insert nulls */ | ||
98 | } | ||
99 | @@ -2595,14 +2612,23 @@ array_set_element_expanded(Datum arraydatum, | ||
100 | addedbefore = addedafter = 0; | ||
101 | |||
102 | /* | ||
103 | - * Check subscripts (this logic matches original array_set_element) | ||
104 | + * Check subscripts (this logic must match array_set_element). We assume | ||
105 | + * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i] | ||
106 | + * can be computed without overflow. But we must beware of other | ||
107 | + * overflows in our calculations of new dim[] values. | ||
108 | */ | ||
109 | if (ndim == 1) | ||
110 | { | ||
111 | if (indx[0] < lb[0]) | ||
112 | { | ||
113 | - addedbefore = lb[0] - indx[0]; | ||
114 | - dim[0] += addedbefore; | ||
115 | + /* addedbefore = lb[0] - indx[0]; */ | ||
116 | + /* dim[0] += addedbefore; */ | ||
117 | + if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) || | ||
118 | + pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) | ||
119 | + ereport(ERROR, | ||
120 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
121 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
122 | + (int) MaxArraySize))); | ||
123 | lb[0] = indx[0]; | ||
124 | dimschanged = true; | ||
125 | if (addedbefore > 1) | ||
126 | @@ -2610,8 +2636,15 @@ array_set_element_expanded(Datum arraydatum, | ||
127 | } | ||
128 | if (indx[0] >= (dim[0] + lb[0])) | ||
129 | { | ||
130 | - addedafter = indx[0] - (dim[0] + lb[0]) + 1; | ||
131 | - dim[0] += addedafter; | ||
132 | + /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */ | ||
133 | + /* dim[0] += addedafter; */ | ||
134 | + if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) || | ||
135 | + pg_add_s32_overflow(addedafter, 1, &addedafter) || | ||
136 | + pg_add_s32_overflow(dim[0], addedafter, &dim[0])) | ||
137 | + ereport(ERROR, | ||
138 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
139 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
140 | + (int) MaxArraySize))); | ||
141 | dimschanged = true; | ||
142 | if (addedafter > 1) | ||
143 | newhasnulls = true; /* will insert nulls */ | ||
144 | @@ -2894,7 +2927,10 @@ array_set_slice(Datum arraydatum, | ||
145 | addedbefore = addedafter = 0; | ||
146 | |||
147 | /* | ||
148 | - * Check subscripts | ||
149 | + * Check subscripts. We assume the existing subscripts passed | ||
150 | + * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without | ||
151 | + * overflow. But we must beware of other overflows in our calculations of | ||
152 | + * new dim[] values. | ||
153 | */ | ||
154 | if (ndim == 1) | ||
155 | { | ||
156 | @@ -2909,18 +2945,31 @@ array_set_slice(Datum arraydatum, | ||
157 | errmsg("upper bound cannot be less than lower bound"))); | ||
158 | if (lowerIndx[0] < lb[0]) | ||
159 | { | ||
160 | - if (upperIndx[0] < lb[0] - 1) | ||
161 | - newhasnulls = true; /* will insert nulls */ | ||
162 | - addedbefore = lb[0] - lowerIndx[0]; | ||
163 | - dim[0] += addedbefore; | ||
164 | + /* addedbefore = lb[0] - lowerIndx[0]; */ | ||
165 | + /* dim[0] += addedbefore; */ | ||
166 | + if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) || | ||
167 | + pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) | ||
168 | + ereport(ERROR, | ||
169 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
170 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
171 | + (int) MaxArraySize))); | ||
172 | lb[0] = lowerIndx[0]; | ||
173 | + if (addedbefore > 1) | ||
174 | + newhasnulls = true; /* will insert nulls */ | ||
175 | } | ||
176 | if (upperIndx[0] >= (dim[0] + lb[0])) | ||
177 | { | ||
178 | - if (lowerIndx[0] > (dim[0] + lb[0])) | ||
179 | + /* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */ | ||
180 | + /* dim[0] += addedafter; */ | ||
181 | + if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) || | ||
182 | + pg_add_s32_overflow(addedafter, 1, &addedafter) || | ||
183 | + pg_add_s32_overflow(dim[0], addedafter, &dim[0])) | ||
184 | + ereport(ERROR, | ||
185 | + (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), | ||
186 | + errmsg("array size exceeds the maximum allowed (%d)", | ||
187 | + (int) MaxArraySize))); | ||
188 | + if (addedafter > 1) | ||
189 | newhasnulls = true; /* will insert nulls */ | ||
190 | - addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; | ||
191 | - dim[0] += addedafter; | ||
192 | } | ||
193 | } | ||
194 | else | ||
195 | diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c | ||
196 | index 6988edd..fdaf712 100644 | ||
197 | --- a/src/backend/utils/adt/arrayutils.c | ||
198 | +++ b/src/backend/utils/adt/arrayutils.c | ||
199 | @@ -64,10 +64,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale) | ||
200 | * This must do overflow checking, since it is used to validate that a user | ||
201 | * dimensionality request doesn't overflow what we can handle. | ||
202 | * | ||
203 | - * We limit array sizes to at most about a quarter billion elements, | ||
204 | - * so that it's not necessary to check for overflow in quite so many | ||
205 | - * places --- for instance when palloc'ing Datum arrays. | ||
206 | - * | ||
207 | * The multiplication overflow check only works on machines that have int64 | ||
208 | * arithmetic, but that is nearly all platforms these days, and doing check | ||
209 | * divides for those that don't seems way too expensive. | ||
210 | @@ -78,8 +74,6 @@ ArrayGetNItems(int ndim, const int *dims) | ||
211 | int32 ret; | ||
212 | int i; | ||
213 | |||
214 | -#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) | ||
215 | - | ||
216 | if (ndim <= 0) | ||
217 | return 0; | ||
218 | ret = 1; | ||
219 | diff --git a/src/include/utils/array.h b/src/include/utils/array.h | ||
220 | index 4ae6c3b..0d6db51 100644 | ||
221 | --- a/src/include/utils/array.h | ||
222 | +++ b/src/include/utils/array.h | ||
223 | @@ -74,6 +74,13 @@ struct ExprContext; | ||
224 | */ | ||
225 | #define MAXDIM 6 | ||
226 | |||
227 | +/* | ||
228 | + * Maximum number of elements in an array. We limit this to at most about a | ||
229 | + * quarter billion elements, so that it's not necessary to check for overflow | ||
230 | + * in quite so many places --- for instance when palloc'ing Datum arrays. | ||
231 | + */ | ||
232 | +#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) | ||
233 | + | ||
234 | /* | ||
235 | * Arrays are varlena objects, so must meet the varlena convention that | ||
236 | * the first int32 of the object contains the total object size in bytes. | ||
237 | diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out | ||
238 | index 4923cf3..7f9b693 100644 | ||
239 | --- a/src/test/regress/expected/arrays.out | ||
240 | +++ b/src/test/regress/expected/arrays.out | ||
241 | @@ -1380,6 +1380,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk) | ||
242 | -- then you didn't get an indexscan plan, and something is busted. | ||
243 | reset enable_seqscan; | ||
244 | reset enable_bitmapscan; | ||
245 | +-- test subscript overflow detection | ||
246 | +-- The normal error message includes a platform-dependent limit, | ||
247 | +-- so suppress it to avoid needing multiple expected-files. | ||
248 | +\set VERBOSITY sqlstate | ||
249 | +insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}'); | ||
250 | +update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; | ||
251 | +ERROR: 54000 | ||
252 | +update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; | ||
253 | +ERROR: 54000 | ||
254 | +-- also exercise the expanded-array case | ||
255 | +do $$ declare a int[]; | ||
256 | +begin | ||
257 | + a := '[-2147483648:-2147483647]={1,2}'::int[]; | ||
258 | + a[2147483647] := 42; | ||
259 | +end $$; | ||
260 | +ERROR: 54000 | ||
261 | +\set VERBOSITY default | ||
262 | -- test [not] (like|ilike) (any|all) (...) | ||
263 | select 'foo' like any (array['%a', '%o']); -- t | ||
264 | ?column? | ||
265 | diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql | ||
266 | index 5eedc4c..3ad8bdf 100644 | ||
267 | --- a/src/test/regress/sql/arrays.sql | ||
268 | +++ b/src/test/regress/sql/arrays.sql | ||
269 | @@ -415,6 +415,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk) | ||
270 | reset enable_seqscan; | ||
271 | reset enable_bitmapscan; | ||
272 | |||
273 | +-- test subscript overflow detection | ||
274 | + | ||
275 | +-- The normal error message includes a platform-dependent limit, | ||
276 | +-- so suppress it to avoid needing multiple expected-files. | ||
277 | +\set VERBOSITY sqlstate | ||
278 | + | ||
279 | +insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}'); | ||
280 | +update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; | ||
281 | +update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; | ||
282 | + | ||
283 | +-- also exercise the expanded-array case | ||
284 | +do $$ declare a int[]; | ||
285 | +begin | ||
286 | + a := '[-2147483648:-2147483647]={1,2}'::int[]; | ||
287 | + a[2147483647] := 42; | ||
288 | +end $$; | ||
289 | + | ||
290 | +\set VERBOSITY default | ||
291 | + | ||
292 | -- test [not] (like|ilike) (any|all) (...) | ||
293 | select 'foo' like any (array['%a', '%o']); -- t | ||
294 | select 'foo' like any (array['%a', '%b']); -- f | ||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch new file mode 100644 index 000000000..b1a16e466 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | From 3a9b18b3095366cd0c4305441d426d04572d88c1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Noah Misch <noah@leadboat.com> | ||
3 | Date: Tue, 21 Nov 2023 11:49:50 +0000 | ||
4 | Subject: [PATCH] Ban role pg_signal_backend from more superuser backend types. | ||
5 | |||
6 | Documentation says it cannot signal "a backend owned by a superuser". | ||
7 | On the contrary, it could signal background workers, including the | ||
8 | logical replication launcher. It could signal autovacuum workers and | ||
9 | the autovacuum launcher. Block all that. Signaling autovacuum workers | ||
10 | and those two launchers doesn't stall progress beyond what one could | ||
11 | achieve other ways. If a cluster uses a non-core extension with a | ||
12 | background worker that does not auto-restart, this could create a denial | ||
13 | of service with respect to that background worker. A background worker | ||
14 | with bugs in its code for responding to terminations or cancellations | ||
15 | could experience those bugs at a time the pg_signal_backend member | ||
16 | chooses. Back-patch to v11 (all supported versions). | ||
17 | |||
18 | Reviewed by Jelte Fennema-Nio. Reported by Hemanth Sandrana and | ||
19 | Mahendrakar Srinivasarao. | ||
20 | |||
21 | Security: CVE-2023-5870 | ||
22 | |||
23 | CVE: CVE-2023-5870 | ||
24 | Upstream-Status: Backport [https://github.com/postgres/postgres/commit/3a9b18b3095366cd0c4305441d426d04572d88c1] | ||
25 | |||
26 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
27 | |||
28 | --- | ||
29 | src/backend/storage/ipc/signalfuncs.c | 9 +++++++-- | ||
30 | src/test/regress/expected/privileges.out | 18 ++++++++++++++++++ | ||
31 | src/test/regress/sql/privileges.sql | 15 +++++++++++++++ | ||
32 | 3 files changed, 40 insertions(+), 2 deletions(-) | ||
33 | |||
34 | diff --git a/src/backend/storage/ipc/signalfuncs.c b/src/backend/storage/ipc/signalfuncs.c | ||
35 | index de69d60..b6ff412 100644 | ||
36 | --- a/src/backend/storage/ipc/signalfuncs.c | ||
37 | +++ b/src/backend/storage/ipc/signalfuncs.c | ||
38 | @@ -69,8 +69,13 @@ pg_signal_backend(int pid, int sig) | ||
39 | return SIGNAL_BACKEND_ERROR; | ||
40 | } | ||
41 | |||
42 | - /* Only allow superusers to signal superuser-owned backends. */ | ||
43 | - if (superuser_arg(proc->roleId) && !superuser()) | ||
44 | + /* | ||
45 | + * Only allow superusers to signal superuser-owned backends. Any process | ||
46 | + * not advertising a role might have the importance of a superuser-owned | ||
47 | + * backend, so treat it that way. | ||
48 | + */ | ||
49 | + if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) && | ||
50 | + !superuser()) | ||
51 | return SIGNAL_BACKEND_NOSUPERUSER; | ||
52 | |||
53 | /* Users can signal backends they have role membership in. */ | ||
54 | diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out | ||
55 | index b3c3b25..90e70f9 100644 | ||
56 | --- a/src/test/regress/expected/privileges.out | ||
57 | +++ b/src/test/regress/expected/privileges.out | ||
58 | @@ -1846,6 +1846,24 @@ SELECT * FROM pg_largeobject LIMIT 0; | ||
59 | SET SESSION AUTHORIZATION regress_priv_user1; | ||
60 | SELECT * FROM pg_largeobject LIMIT 0; -- to be denied | ||
61 | ERROR: permission denied for table pg_largeobject | ||
62 | +-- pg_signal_backend can't signal superusers | ||
63 | +RESET SESSION AUTHORIZATION; | ||
64 | +BEGIN; | ||
65 | +CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool | ||
66 | + LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$ | ||
67 | +BEGIN | ||
68 | + RETURN pg_terminate_backend($1); | ||
69 | +EXCEPTION WHEN OTHERS THEN | ||
70 | + RETURN false; | ||
71 | +END$$; | ||
72 | +ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend; | ||
73 | +SELECT backend_type FROM pg_stat_activity | ||
74 | +WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END; | ||
75 | + backend_type | ||
76 | +-------------- | ||
77 | +(0 rows) | ||
78 | + | ||
79 | +ROLLBACK; | ||
80 | -- test pg_database_owner | ||
81 | RESET SESSION AUTHORIZATION; | ||
82 | GRANT pg_database_owner TO regress_priv_user1; | ||
83 | diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql | ||
84 | index af05f95..f96143e 100644 | ||
85 | --- a/src/test/regress/sql/privileges.sql | ||
86 | +++ b/src/test/regress/sql/privileges.sql | ||
87 | @@ -1133,6 +1133,21 @@ SELECT * FROM pg_largeobject LIMIT 0; | ||
88 | SET SESSION AUTHORIZATION regress_priv_user1; | ||
89 | SELECT * FROM pg_largeobject LIMIT 0; -- to be denied | ||
90 | |||
91 | +-- pg_signal_backend can't signal superusers | ||
92 | +RESET SESSION AUTHORIZATION; | ||
93 | +BEGIN; | ||
94 | +CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool | ||
95 | + LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$ | ||
96 | +BEGIN | ||
97 | + RETURN pg_terminate_backend($1); | ||
98 | +EXCEPTION WHEN OTHERS THEN | ||
99 | + RETURN false; | ||
100 | +END$$; | ||
101 | +ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend; | ||
102 | +SELECT backend_type FROM pg_stat_activity | ||
103 | +WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END; | ||
104 | +ROLLBACK; | ||
105 | + | ||
106 | -- test pg_database_owner | ||
107 | RESET SESSION AUTHORIZATION; | ||
108 | GRANT pg_database_owner TO regress_priv_user1; | ||
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb index f779ea7ab..a879de20c 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb | |||
@@ -9,6 +9,9 @@ SRC_URI += "\ | |||
9 | file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ | 9 | file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ |
10 | file://0001-config_info.c-not-expose-build-info.patch \ | 10 | file://0001-config_info.c-not-expose-build-info.patch \ |
11 | file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ | 11 | file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ |
12 | file://CVE-2023-5868.patch \ | ||
13 | file://CVE-2023-5869.patch \ | ||
14 | file://CVE-2023-5870.patch \ | ||
12 | " | 15 | " |
13 | 16 | ||
14 | SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef" | 17 | SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef" |