[pgpool-committers: 10102] pgpool: Fix multiple query cache vulnerabilities (CVE-2024-45624).

Bo Peng pengbo at sraoss.co.jp
Mon Sep 9 10:40:32 JST 2024 

Fix multiple query cache vulnerabilities (CVE-2024-45624).

When the query cache feature is enabled, it was possible that a user
can read rows from tables that should not be visible for the user
through query cache.

- If query cache is created for a row security enabled table for user
  A, and then other user B accesses the table via SET ROLE or SET
  SESSION_AUTHORIZATION in the same session, it was possible for the
  user B to retrieve rows which should not be visible from the user B.

- If query cache is created for a table for user A, and then other
  user B accesses the table via SET ROLE or SET SESSION_AUTHORIZATION
  in the same session, it was possible for the user B to retrieve rows
  which should not be visible from the user B.

- If query cache is created for a table for a user, and then the
  access right of the table is revoked from the user by REVOKE
  command, still it was possible for the user to to retrieve the rows
  through the query cache.

Besides the vulnerabilities, there were multiple bugs with the query
cache feature.

- If query cache is created for a row security enabled table for a
  user, and then ALTER DATABASE BYPASSRLS or ALTER ROLE BYPASSRLS
  disable the row security of the table, subsequent SELECT still
  returns the same rows as before through the query cache.

- If query cache is created for a table for a user, and then ALTER
  TABLE SET SCHEMA changes the search path to not allow to access the
  table, subsequent SELECT still returns the rows as before through
  the query cache.

To fix above, following changes are made:

- Do not allow to create query cache/use query cache for row security
  enabled tables (even if the table is included in
  cache_safe_memqcache_table_list).

- Do not allow to create query cache/use query cache if SET ROLE/SET
  AUTHORIZATION is executed in the session (query cache invalidation
  is performed when a table is modified as usual).

- Remove entire query cache if REVOKE/ALTER DATABASE/ALTER TABLE/ALTER
  ROLE is executed. If the command is executed in an explicit
  transaction, do not create query cache/use query cache until the
  transaction gets committed (query cache invalidation is performed
  when a table is modified as usual). If the transaction is aborted,
  do not remove query cache.

Patch is created by Tatsuo Ishii.

Backpatch-through: v4.1

Branch
------
V4_3_STABLE

Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=b4a4536256664cfb663231bd7f0b9b385621c5e6

Modified Files
--------------
doc.ja/src/sgml/memcache.sgml                      |  17 +
doc/src/sgml/memcache.sgml                         |  25 +
src/context/pool_session_context.c                 |  83 +++
src/include/context/pool_session_context.h         |  19 +
src/include/query_cache/pool_memqcache.h           |   4 +-
src/include/utils/pool_select_walker.h             |   4 +-
src/protocol/CommandComplete.c                     | 150 ++++-
src/protocol/pool_proto_modules.c                  |   6 +-
src/query_cache/pool_memqcache.c                   |  29 +-
.../tests/006.memqcache/alter_database1.data       |  53 ++
.../tests/006.memqcache/alter_database2.data       |  18 +
.../tests/006.memqcache/alter_database3.data       |   8 +
.../regression/tests/006.memqcache/alter_role.data |  50 ++
.../tests/006.memqcache/alter_table1.data          |  60 ++
.../tests/006.memqcache/alter_table2.data          |  18 +
.../tests/006.memqcache/alter_table3.data          |   8 +
src/test/regression/tests/006.memqcache/expected.n | 569 +++++++++++++++++++
src/test/regression/tests/006.memqcache/expected.r | 627 +++++++++++++++++++++
src/test/regression/tests/006.memqcache/expected.s | 569 +++++++++++++++++++
.../regression/tests/006.memqcache/revoke1.data    |  73 +++
.../regression/tests/006.memqcache/revoke2.data    |  19 +
.../regression/tests/006.memqcache/revoke3.data    |   8 +
.../tests/006.memqcache/row_security.data          |  42 ++
.../tests/006.memqcache/session_authorization.data |  19 +
.../regression/tests/006.memqcache/set_role1.data  |  19 +
.../regression/tests/006.memqcache/set_role2.data  |  39 ++
.../regression/tests/006.memqcache/set_role3.data  |  44 ++
.../regression/tests/006.memqcache/set_role4.data  |  90 +++
src/test/regression/tests/006.memqcache/test.sh    | 336 +++++++++++
src/utils/pool_select_walker.c                     | 107 +++-
30 files changed, 3106 insertions(+), 7 deletions(-)

More information about the pgpool-committers mailing list