From d5395013b151ce8494e4f2086f4f87f0d04a6a0d Mon Sep 17 00:00:00 2001 From: Alexander Korotkov Date: Tue, 21 Apr 2026 13:17:32 +0300 Subject: [PATCH v19] Prevent access to other sessions' temp tables Commit b7b0f3f2724 ("Use streaming I/O in sequential scans") routed sequential scans through read_stream_next_buffer(), bypassing the RELATION_IS_OTHER_TEMP() check in ReadBufferExtended(). As a result, a superuser can attempt to access temp tables of other sessions, even though the buffer manager is incapable of dealing with them correctly. Fix by adding the same check at two additional points: - read_stream_begin_impl() covers sequential and bitmap scans that go through the read-stream path. - StartReadBuffersImpl() and ReadBuffer_common() cover index scans and any remaining direct buffer accesses. Also add a TAP test in src/test/modules/test_misc exercising access to another session's temp table. Author: Jim Jones Discussion: https://postgr.es/m/CAJDiXghdFcZ8%3Dnh4G69te7iRr3Q0uFyXxb3ZdG09_GTNZXwH0g%40mail.gmail.com Author: Daniil Davydov <3danissimo@gmail.com> Co-authored-by: Jim Jones Reviewed-by: Soumya S Murali Reviewed-by: Tom Lane Reviewed-by: Alexander Korotkov Backpatch-through: 17 --- src/backend/storage/aio/read_stream.c | 10 ++ src/backend/storage/buffer/bufmgr.c | 12 ++ src/test/modules/test_misc/meson.build | 1 + .../test_misc/t/012_temp_obj_multisession.pl | 117 ++++++++++++++++++ 4 files changed, 140 insertions(+) create mode 100644 src/test/modules/test_misc/t/012_temp_obj_multisession.pl diff --git a/src/backend/storage/aio/read_stream.c b/src/backend/storage/aio/read_stream.c index 2374b4cd507..a318539e56c 100644 --- a/src/backend/storage/aio/read_stream.c +++ b/src/backend/storage/aio/read_stream.c @@ -776,6 +776,16 @@ read_stream_begin_impl(int flags, uint32 max_possible_buffer_limit; Oid tablespace_id; + /* + * Reject attempts to read non-local temporary relations; we would be + * likely to get wrong data since we have no visibility into the owning + * session's local buffers. + */ + if (rel && RELATION_IS_OTHER_TEMP(rel)) + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("cannot access temporary tables of other sessions"))); + /* * Decide how many I/Os we will allow to run at the same time. This * number also affects how far we look ahead for opportunities to start diff --git a/src/backend/storage/buffer/bufmgr.c b/src/backend/storage/buffer/bufmgr.c index 3cc0b0bdd92..676d8000e1e 100644 --- a/src/backend/storage/buffer/bufmgr.c +++ b/src/backend/storage/buffer/bufmgr.c @@ -1292,6 +1292,12 @@ ReadBuffer_common(Relation rel, SMgrRelation smgr, char smgr_persistence, int flags; char persistence; + /* see comments in ReadBufferExtended */ + if (rel && RELATION_IS_OTHER_TEMP(rel)) + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("cannot access temporary tables of other sessions"))); + /* * Backward compatibility path, most code should use ExtendBufferedRel() * instead, as acquiring the extension lock inside ExtendBufferedRel() @@ -1382,6 +1388,12 @@ StartReadBuffersImpl(ReadBuffersOperation *operation, Assert(*nblocks > 0); Assert(*nblocks <= MAX_IO_COMBINE_LIMIT); + /* see comments in ReadBufferExtended */ + if (operation->rel && RELATION_IS_OTHER_TEMP(operation->rel)) + ereport(ERROR, + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), + errmsg("cannot access temporary tables of other sessions"))); + if (operation->persistence == RELPERSISTENCE_TEMP) { io_context = IOCONTEXT_NORMAL; diff --git a/src/test/modules/test_misc/meson.build b/src/test/modules/test_misc/meson.build index 1b25d98f7f3..a54599cc301 100644 --- a/src/test/modules/test_misc/meson.build +++ b/src/test/modules/test_misc/meson.build @@ -20,6 +20,7 @@ tests += { 't/009_log_temp_files.pl', 't/010_index_concurrently_upsert.pl', 't/011_lock_stats.pl', + 't/012_temp_obj_multisession.pl', ], # The injection points are cluster-wide, so disable installcheck 'runningcheck': false, diff --git a/src/test/modules/test_misc/t/012_temp_obj_multisession.pl b/src/test/modules/test_misc/t/012_temp_obj_multisession.pl new file mode 100644 index 00000000000..43cfe625738 --- /dev/null +++ b/src/test/modules/test_misc/t/012_temp_obj_multisession.pl @@ -0,0 +1,117 @@ +# Copyright (c) 2026, PostgreSQL Global Development Group + +# Verify that one session cannot access another session's temporary table. +# +# A session creates a temporary table and a separate session attempts to +# read and modify it through various code paths: SELECT, UPDATE, DELETE, +# TRUNCATE, INSERT, COPY, and an index scan. Each attempt is expected to +# fail with "cannot access temporary tables of other sessions" (or the +# analogous TRUNCATE error). + +use strict; +use warnings; +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use PostgreSQL::Test::BackgroundPsql; +use Test::More; + +# Set up a fresh node +my $node = PostgreSQL::Test::Cluster->new('temp_lock'); +$node->init; +$node->start; + +# Create a long-lived session +my $psql1 = $node->background_psql('postgres'); + +$psql1->query_safe(q(CREATE TEMP TABLE foo AS SELECT 42 AS val;)); + +$psql1->query_safe(q(CREATE INDEX ON foo(val);)); + +my $tempschema = $node->safe_psql( + 'postgres', + q{ + SELECT n.nspname + FROM pg_class c + JOIN pg_namespace n ON n.oid = c.relnamespace + WHERE relname = 'foo' AND relpersistence = 't'; + } +); +chomp $tempschema; +ok($tempschema =~ /^pg_temp_\d+$/, "got temp schema: $tempschema"); + + +# SELECT TEMPORARY TABLE from other session +my ($stdout, $stderr); +$node->psql( + 'postgres', + "SELECT val FROM $tempschema.foo;", + stdout => \$stdout, + stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'SELECT on other session temp table is not allowed'); + +# UPDATE TEMPORARY TABLE from other session +$node->psql( + 'postgres', + "UPDATE $tempschema.foo SET val = NULL;", + stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'UPDATE on other session temp table is not allowed'); + +# DELETE records from TEMPORARY TABLE from other session +$node->psql('postgres', "DELETE FROM $tempschema.foo;", stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'DELETE on other session temp table is not allowed'); + +# TRUNCATE TEMPORARY TABLE from other session +$node->psql('postgres', "TRUNCATE TABLE $tempschema.foo;", + stderr => \$stderr); +like( + $stderr, + qr/cannot truncate temporary tables of other sessions/, + 'TRUNCATE on other session temp table is not allowed'); + +# INSERT INTO TEMPORARY TABLE from other session +$node->psql( + 'postgres', + "INSERT INTO $tempschema.foo VALUES (73);", + stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'INSERT INTO on other session temp table is not allowed'); + +# COPY TEMPORARY TABLE from other session +$node->psql('postgres', "COPY $tempschema.foo TO STDOUT;", + stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'COPY on other session temp table is blocked'); + +# Index scans can use a different code path from the one sequential scans are +# following. Make sure that we cannot access other sessions' temp tables during +# index scan either. +$node->psql( + 'postgres', + "SET enable_seqscan = off; SELECT val FROM $tempschema.foo WHERE val = 42;", + stderr => \$stderr); +like( + $stderr, + qr/cannot access temporary tables of other sessions/, + 'index scan on other session temp table is not allowed (exercises ReadBufferExtended path)' +); + +# DROP TEMPORARY TABLE from other session +$node->safe_psql('postgres', "DROP TABLE $tempschema.foo;"); + +# Clean up +$psql1->quit; + +done_testing(); -- 2.39.5 (Apple Git-154)