git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff

Fix CVE-2013-0255 properly.

2013年2月13日 21:20:01 +0000 (16:20 -0500)

Revert commit ab0f7b6089fd215f6ce6081e2e222c38d643a526 (in HEAD only)
in favor of the proper solution, which is to declare enum_recv() correctly
in the system catalogs. It should be declared to take type "internal"
not "cstring".

Also improve the type_sanity regression test, which should have caught
this typo, so that it actually would. Most of the relevant checks on
the signature of type I/O functions should not have been restricted to
basetypes/pseudotypes, as they should apply to any type's I/O functions.

src/backend/utils/adt/enum.c patch | blob | blame | history

src/include/catalog/catversion.h patch | blob | blame | history

src/include/catalog/pg_proc.h patch | blob | blame | history

src/test/regress/expected/type_sanity.out patch | blob | blame | history

src/test/regress/sql/type_sanity.sql patch | blob | blame | history

diff --git a/src/backend/utils/adt/enum.c b/src/backend/utils/adt/enum.c

index 1eb8ccfaee56d88d5be9de4d3dfeb3d2c4ed880d..01a726be447c56dc670e3a3e86821cc2905e355e 100644 (file)

--- a/src/backend/utils/adt/enum.c

+++ b/src/backend/utils/adt/enum.c

@@ -18,7 +18,6 @@

#include "access/htup_details.h"

#include "catalog/indexing.h"

#include "catalog/pg_enum.h"

-#include "catalog/pg_type.h"

#include "libpq/pqformat.h"

#include "utils/array.h"

#include "utils/builtins.h"

@@ -105,10 +104,6 @@ enum_recv(PG_FUNCTION_ARGS)

char *name;

int nbytes;

- /* guard against pre-9.3 misdeclaration of enum_recv */

- if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID)

- elog(ERROR, "invalid argument for enum_recv");

name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes);

/* must check length to prevent Assert failure within SearchSysCache */

diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h

index 4b8fa0175b3866459b5e1317d27a8270e4765e61..2b8df5eaf6ff6e1ea88c524635e5b0feb90794e4 100644 (file)

--- a/src/include/catalog/catversion.h

+++ b/src/include/catalog/catversion.h

@@ -53,6 +53,6 @@

/* yyyymmddN */

-#define CATALOG_VERSION_NO 201301231

+#define CATALOG_VERSION_NO 201302131

#endif

diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h

index 028e1684ff0c3c7461b893d9d3723a6a8eca7607..d9f50d22d2a3ae3752d9531e4102543fe76b4e48 100644 (file)

--- a/src/include/catalog/pg_proc.h

+++ b/src/include/catalog/pg_proc.h

@@ -4160,7 +4160,7 @@ DATA(insert OID = 3530 ( enum_range PGNSP PGUID 12 1 0 0 0 f f f f f f s 2 0 22

DESCR("range between the two given enum values, as an ordered array");

DATA(insert OID = 3531 ( enum_range PGNSP PGUID 12 1 0 0 0 f f f f f f s 1 0 2277 "3500" _null_ _null_ _null_ _null_ enum_range_all _null_ _null_ _null_ ));

DESCR("range of the given enum type, as an ordered array");

-DATA(insert OID = 3532 ( enum_recv PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 3500 "2275 26" _null_ _null_ _null_ _null_ enum_recv _null_ _null_ _null_ ));

+DATA(insert OID = 3532 ( enum_recv PGNSP PGUID 12 1 0 0 0 f f f f t f s 2 0 3500 "2281 26" _null_ _null_ _null_ _null_ enum_recv _null_ _null_ _null_ ));

DESCR("I/O");

DATA(insert OID = 3533 ( enum_send PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 17 "3500" _null_ _null_ _null_ _null_ enum_send _null_ _null_ _null_ ));

DESCR("I/O");

diff --git a/src/test/regress/expected/type_sanity.out b/src/test/regress/expected/type_sanity.out

index 70eab923702679130df631363b0385fcab939dfd..3616c8dbd0907b418686ebad55c3a0b94b9ae5ee 100644 (file)

--- a/src/test/regress/expected/type_sanity.out

+++ b/src/test/regress/expected/type_sanity.out

@@ -117,8 +117,10 @@ WHERE (p1.typinput = 0 OR p1.typoutput = 0);

-- Check for bogus typinput routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typinput = p2.oid AND NOT

((p2.pronargs = 1 AND p2.proargtypes[0] = 'cstring'::regtype) OR

+ (p2.pronargs = 2 AND p2.proargtypes[0] = 'cstring'::regtype AND

+ p2.proargtypes[1] = 'oid'::regtype) OR

(p2.pronargs = 3 AND p2.proargtypes[0] = 'cstring'::regtype AND

p2.proargtypes[1] = 'oid'::regtype AND

p2.proargtypes[2] = 'int4'::regtype));

@@ -143,7 +145,7 @@ ORDER BY 1;

-- Exception as of 8.1: int2vector and oidvector have their own I/O routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND

+WHERE p1.typinput = p2.oid AND

(p1.typelem != 0 AND p1.typlen < 0) AND NOT

(p2.oid = 'array_in'::regproc)

ORDER BY 1;

@@ -184,7 +186,7 @@ ORDER BY 1;

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typoutput = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typoutput = p2.oid AND NOT

(p2.prorettype = 'cstring'::regtype AND NOT p2.proretset);

oid | typname | oid | proname

-----+---------+-----+---------

@@ -213,8 +215,10 @@ WHERE p1.typtype = 'd' AND p1.typoutput IS DISTINCT FROM p2.typoutput;

-- Check for bogus typreceive routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typreceive = p2.oid AND NOT

((p2.pronargs = 1 AND p2.proargtypes[0] = 'internal'::regtype) OR

+ (p2.pronargs = 2 AND p2.proargtypes[0] = 'internal'::regtype AND

+ p2.proargtypes[1] = 'oid'::regtype) OR

(p2.pronargs = 3 AND p2.proargtypes[0] = 'internal'::regtype AND

p2.proargtypes[1] = 'oid'::regtype AND

p2.proargtypes[2] = 'int4'::regtype));

@@ -239,7 +243,7 @@ ORDER BY 1;

-- Exception as of 8.1: int2vector and oidvector have their own I/O routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND

+WHERE p1.typreceive = p2.oid AND

(p1.typelem != 0 AND p1.typlen < 0) AND NOT

(p2.oid = 'array_recv'::regproc)

ORDER BY 1;

@@ -289,7 +293,7 @@ ORDER BY 1;

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typsend = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typsend = p2.oid AND NOT

(p2.prorettype = 'bytea'::regtype AND NOT p2.proretset);

oid | typname | oid | proname

-----+---------+-----+---------

diff --git a/src/test/regress/sql/type_sanity.sql b/src/test/regress/sql/type_sanity.sql

index 413b220d592d7a770c0ae9d3b87f29838c29e310..14cb5408b79e8f35eb3f12b0a92a30e470e4a48f 100644 (file)

--- a/src/test/regress/sql/type_sanity.sql

+++ b/src/test/regress/sql/type_sanity.sql

@@ -96,8 +96,10 @@ WHERE (p1.typinput = 0 OR p1.typoutput = 0);

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typinput = p2.oid AND NOT

((p2.pronargs = 1 AND p2.proargtypes[0] = 'cstring'::regtype) OR

+ (p2.pronargs = 2 AND p2.proargtypes[0] = 'cstring'::regtype AND

+ p2.proargtypes[1] = 'oid'::regtype) OR

(p2.pronargs = 3 AND p2.proargtypes[0] = 'cstring'::regtype AND

p2.proargtypes[1] = 'oid'::regtype AND

p2.proargtypes[2] = 'int4'::regtype));

@@ -115,7 +117,7 @@ ORDER BY 1;

-- Exception as of 8.1: int2vector and oidvector have their own I/O routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typinput = p2.oid AND p1.typtype in ('b', 'p') AND

+WHERE p1.typinput = p2.oid AND

(p1.typelem != 0 AND p1.typlen < 0) AND NOT

(p2.oid = 'array_in'::regproc)

ORDER BY 1;

@@ -141,7 +143,7 @@ ORDER BY 1;

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typoutput = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typoutput = p2.oid AND NOT

(p2.prorettype = 'cstring'::regtype AND NOT p2.proretset);

-- Composites, enums, ranges should all use the same output routines

@@ -159,8 +161,10 @@ WHERE p1.typtype = 'd' AND p1.typoutput IS DISTINCT FROM p2.typoutput;

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typreceive = p2.oid AND NOT

((p2.pronargs = 1 AND p2.proargtypes[0] = 'internal'::regtype) OR

+ (p2.pronargs = 2 AND p2.proargtypes[0] = 'internal'::regtype AND

+ p2.proargtypes[1] = 'oid'::regtype) OR

(p2.pronargs = 3 AND p2.proargtypes[0] = 'internal'::regtype AND

p2.proargtypes[1] = 'oid'::regtype AND

p2.proargtypes[2] = 'int4'::regtype));

@@ -178,7 +182,7 @@ ORDER BY 1;

-- Exception as of 8.1: int2vector and oidvector have their own I/O routines

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typreceive = p2.oid AND p1.typtype in ('b', 'p') AND

+WHERE p1.typreceive = p2.oid AND

(p1.typelem != 0 AND p1.typlen < 0) AND NOT

(p2.oid = 'array_recv'::regproc)

ORDER BY 1;

@@ -210,7 +214,7 @@ ORDER BY 1;

SELECT p1.oid, p1.typname, p2.oid, p2.proname

FROM pg_type AS p1, pg_proc AS p2

-WHERE p1.typsend = p2.oid AND p1.typtype in ('b', 'p') AND NOT

+WHERE p1.typsend = p2.oid AND NOT

(p2.prorettype = 'bytea'::regtype AND NOT p2.proretset);

-- Composites, enums, ranges should all use the same send routines

This is the main PostgreSQL git repository.

RSS Atom