Reset plan->row_security_env and planUserId

In the plancache, we check if the environment we planned the query under
has changed in a way which requires us to re-plan, such as when the user
for whom the plan was prepared changes and RLS is being used (and,
therefore, there may be different policies to apply).

Unfortunately, while those values were set and checked, they were not
being reset when the query was re-planned and therefore, in cases where
we change role, re-plan, and then change role again, we weren't
re-planning again.  This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a given query
is planned under one role and then executed under other roles, which
could happen under security definer functions or when a common user and
query is planned initially and then re-used across multiple SET ROLEs.

Further, extensions which made use of CopyCachedPlan() may suffer from
similar issues as the RLS-related fields were not properly copied as
part of the plan and therefore RevalidateCachedQuery() would copy in the
current settings without invalidating the query.

Fix by using the same approach used for 'search_path', where we set the
correct values in CompleteCachedPlan(), check them early on in
RevalidateCachedQuery() and then properly reset them if re-planning.
Also, copy through the values during CopyCachedPlan().

Pointed out by Ashutosh Bapat.  Reviewed by Michael Paquier.

Back-patch to 9.5 where RLS was introduced.

Security: CVE-2016-2193

1 files changed, 26 insertions, 15 deletions

diff --git a/src/backend/utils/cache/plancache.c b/src/backend/utils/cache/plancache.c
index a93825d0087..8fd9f2b573f 100644
--- a/src/backend/utils/cache/plancache.c
+++ b/src/backend/utils/cache/plancache.c
@@ -16,7 +16,8 @@
  * if it has one.  When (and if) the next demand for a cached plan occurs,
  * parse analysis and rewrite is repeated to build a new valid query tree,
  * and then planning is performed as normal.  We also force re-analysis and
- * re-planning if the active search_path is different from the previous time.
+ * re-planning if the active search_path is different from the previous time
+ * or, if RLS is involved, if the user changes or the RLS environment changes.
  *
  * Note that if the sinval was a result of user DDL actions, parse analysis
  * could throw an error, for example if a column referenced by the query is
@@ -208,8 +209,8 @@ CreateCachedPlan(Node *raw_parse_tree,
 	plansource->total_custom_cost = 0;
 	plansource->num_custom_plans = 0;
 	plansource->hasRowSecurity = false;
-	plansource->row_security_env = row_security;
 	plansource->planUserId = InvalidOid;
+	plansource->row_security_env = false;
 
 	MemoryContextSwitchTo(oldcxt);
 
@@ -275,6 +276,8 @@ CreateOneShotCachedPlan(Node *raw_parse_tree,
 	plansource->generic_cost = -1;
 	plansource->total_custom_cost = 0;
 	plansource->num_custom_plans = 0;
+	plansource->planUserId = InvalidOid;
+	plansource->row_security_env = false;
 
 	return plansource;
 }
@@ -413,6 +416,8 @@ CompleteCachedPlan(CachedPlanSource *plansource,
 	plansource->cursor_options = cursor_options;
 	plansource->fixed_result = fixed_result;
 	plansource->resultDesc = PlanCacheComputeResultDesc(querytree_list);
+	plansource->planUserId = GetUserId();
+	plansource->row_security_env = row_security;
 
 	MemoryContextSwitchTo(oldcxt);
 
@@ -576,24 +581,14 @@ RevalidateCachedQuery(CachedPlanSource *plansource)
 	}
 
 	/*
-	 * If this is a new cached plan, then set the user id it was planned by
-	 * and under what row security settings; these are needed to determine
-	 * plan invalidation when RLS is involved or foreign joins are pushed
-	 * down.
-	 */
-	if (!OidIsValid(plansource->planUserId))
-	{
-		plansource->planUserId = GetUserId();
-		plansource->row_security_env = row_security;
-	}
-
-	/*
 	 * If the query is currently valid, we should have a saved search_path ---
 	 * check to see if that matches the current environment.  If not, we want
-	 * to force replan.
+	 * to force replan.  We should also have a valid planUserId.
 	 */
 	if (plansource->is_valid)
 	{
+		Assert(OidIsValid(plansource->planUserId));
+
 		Assert(plansource->search_path != NULL);
 		if (!OverrideSearchPathMatchesCurrent(plansource->search_path))
 		{
@@ -661,6 +656,14 @@ RevalidateCachedQuery(CachedPlanSource *plansource)
 	plansource->search_path = NULL;
 
 	/*
+	 * The plan is invalid, possibly due to row security, so we need to reset
+	 * row_security_env and planUserId as we're about to re-plan with the
+	 * current settings.
+	 */
+	plansource->row_security_env = row_security;
+	plansource->planUserId = GetUserId();
+
+	/*
 	 * Free the query_context.  We don't really expect MemoryContextDelete to
 	 * fail, but just in case, make sure the CachedPlanSource is left in a
 	 * reasonably sane state.  (The generic plan won't get unlinked yet, but
@@ -1412,6 +1415,14 @@ CopyCachedPlan(CachedPlanSource *plansource)
 	newsource->total_custom_cost = plansource->total_custom_cost;
 	newsource->num_custom_plans = plansource->num_custom_plans;
 
+	/*
+	 * Copy over the user the query was planned as, and under what RLS
+	 * environment.  We will check during RevalidateCachedQuery() if the user
+	 * or environment has changed and, if so, will force a re-plan.
+	 */
+	newsource->planUserId = plansource->planUserId;
+	newsource->row_security_env = plansource->row_security_env;
+
 	MemoryContextSwitchTo(oldcxt);
 
 	return newsource;