Harden _int_matchsel() against being attached to the wrong operator. While the preceding commit prevented such attachments from occurring in future, this one aims to prevent further abuse of any already- created operator that exposes _int_matchsel to the wrong data types. (No other contrib module has a vulnerable selectivity estimator.)
We need only check that the Const we've found in the query is indeed of the type we expect (query_int), but there's a difficulty: as an extension type, query_int doesn't have a fixed OID that we could hard-code into the estimator. Therefore, the bulk of this patch consists of infrastructure to let an extension function securely look up the OID of a datatype belonging to the same extension. (Extension authors have requested such functionality before, so we anticipate that this code will have additional non-security uses, and may soon be extended to allow looking up other kinds of SQL objects.) This is done by first finding the extension that owns the calling function (there can be only one), and then thumbing through the objects owned by that extension to find a type that has the desired name. This is relatively expensive, especially for large extensions, so a simple cache is put in front of these lookups. Reported-by: Daniel Firer as part of zeroday.cloud Author: Tom Lane <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2004 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/7e82d9a04d0fba0678f4349f23b03bbdf83193f7 Modified Files -------------- contrib/intarray/_int_selfuncs.c | 14 ++++- src/backend/catalog/pg_depend.c | 73 ++++++++++++++++++++++ src/backend/commands/extension.c | 130 +++++++++++++++++++++++++++++++++++++++ src/include/catalog/dependency.h | 2 + src/include/commands/extension.h | 2 + src/tools/pgindent/typedefs.list | 1 + 6 files changed, 221 insertions(+), 1 deletion(-)
