Add missing checks to some of pageinspect's BRIN functions

brin_page_type() and brin_metapage_info() did not enforce being called by superuser, like other pageinspect functions that take bytea do. Since they don't verify the passed page thoroughly, it is possible to use them to read the server memory with a carefully crafted bytea value, up to a file kilobytes from where the input bytea is located. Have them throw errors if called by a non-superuser. Report and initial patch: Andreas Seltenreich Security: CVE-2016-3065

Add missing checks to some of pageinspect's BRIN functions
brin_page_type() and brin_metapage_info() did not enforce being called by superuser, like other pageinspect functions that take bytea do. Since they don't verify the passed page thoroughly, it is possible to use them to read the server memory with a carefully crafted bytea value, up to a file kilobytes from where the input bytea is located. Have them throw errors if called by a non-superuser. Report and initial patch: Andreas Seltenreich Security: CVE-2016-3065
3e133847 · Alvaro Herrera · 86ebf30f · 3e133847
Commit 3e133847 authored Mar 28, 2016 by Alvaro Herrera
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 2 deletions

contrib/pageinspect/brinfuncs.c contrib/pageinspect/brinfuncs.c +23 -2

No files found.
--- a/contrib/pageinspect/brinfuncs.c
+++ b/contrib/pageinspect/brinfuncs.c
@@ -46,8 +46,23 @@ brin_page_type(PG_FUNCTION_ARGS)
 {
 	bytea	   *raw_page = PG_GETARG_BYTEA_P(0);
 	Page		page = VARDATA(raw_page);
+	int			raw_page_size;
 	char	   *type;
+	if (!superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 (errmsg("must be superuser to use raw page functions"))));
+	raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
+	if (raw_page_size != BLCKSZ)
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+				 errmsg("input page too small"),
+				 errdetail("Expected size %d, got %d",
+						   BLCKSZ, raw_page_size)));
 	switch (BrinPageType(page))
 	{
 		case BRIN_PAGETYPE_META:
@@ -79,11 +94,12 @@ verify_brin_page(bytea *raw_page, uint16 type, const char *strtype)
 	raw_page_size = VARSIZE(raw_page) - VARHDRSZ;
-	if (raw_page_size < SizeOfPageHeaderData)
+	if (raw_page_size != BLCKSZ)
 		ereport(ERROR,
 				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 				 errmsg("input page too small"),
-			  errdetail("Expected size %d, got %d", raw_page_size, BLCKSZ)));
+				 errdetail("Expected size %d, got %d",
+						   BLCKSZ, raw_page_size)));
 	page = VARDATA(raw_page);
@@ -316,6 +332,11 @@ brin_metapage_info(PG_FUNCTION_ARGS)
 	bool		nulls[4];
 	HeapTuple	htup;
+	if (!superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 (errmsg("must be superuser to use raw page functions"))));
 	page = verify_brin_page(raw_page, BRIN_PAGETYPE_META, "metapage");
 	/* Build a tuple descriptor for our result type */