Disallow converting a table to a view within an outer SQL command.

We have long disallowed all forms of ALTER TABLE if the table is
already opened by some outer SQL command in the same session.
This has the same purpose as obtaining AccessExclusiveLock, but
since a session's own locks don't conflict the lock only blocks use
of the table by other sessions, not our own.  Without this check,
the ALTER might confuse the outer SQL command since any previous
inspection of the table would potentially become invalid.

However, the RelisBecomingView code path in DefineQueryRewrite never
got that memo, and assumed that AccessExclusiveLock is sufficient
for performing something morally equivalent to a rather invasive
ALTER TABLE.  Unsurprisingly, this can confuse an outer command
that is trying to do something with the table.

This was submitted as a security issue, but the security team
has been unable to identify any consequence worse than a null
pointer dereference (from trying to access rd_tableam methods
that the relation no longer has).  Therefore, in accordance
with our usual policy, it's not security material and should
just be fixed as a routine bug.

Fix by disallowing the operation if the table is open locally,
exactly as ALTER TABLE does it.

Per an anonymous security researcher, via Bundesamt für Sicherheit
in der Informationstechnik.

Patch v12-v15 only.  In v16 and later, we removed this code
altogether (cf. commit b23cd185f), so that there's no issue.

diff --git a/src/backend/rewrite/rewriteDefine.c b/src/backend/rewrite/rewriteDefine.c
index ac68913d8b7085fb4b4dc22c199a8366b6d14915..8b9d80b2e064fcbc66cbccc418ce436b3916a7bf 100644 (file)
--- a/src/backend/rewrite/rewriteDefine.c
+++ b/src/backend/rewrite/rewriteDefine.c
@@ -30,6 +30,7 @@
 #include "catalog/pg_rewrite.h"
 #include "catalog/storage.h"
 #include "commands/policy.h"
+#include "commands/tablecmds.h"
 #include "miscadmin.h"
 #include "nodes/nodeFuncs.h"
 #include "parser/parse_utilcmd.h"
@@ -422,6 +423,9 @@ DefineQueryRewrite(const char *rulename,
         * whole business of converting relations to views is just an obsolete
         * kluge to allow dump/reload of views that participate in circular
         * dependencies.)
+        *
+        * Also ensure the relation isn't being manipulated in any outer SQL
+        * command of our own session.
         */
        if (event_relation->rd_rel->relkind != RELKIND_VIEW &&
            event_relation->rd_rel->relkind != RELKIND_MATVIEW)
@@ -430,6 +434,8 @@ DefineQueryRewrite(const char *rulename,
            Snapshot    snapshot;
            TupleTableSlot *slot;
 
+           CheckTableNotInUse(event_relation, "CREATE RULE");
+
            if (event_relation->rd_rel->relkind == RELKIND_PARTITIONED_TABLE)
                ereport(ERROR,
                        (errcode(ERRCODE_WRONG_OBJECT_TYPE),