sql,catalog,typedesc: validate OID range before converting it to ID

Previously the code to convert an OID to a descpb.ID assumed that the OID is
larger than a predefined constant. There were no checks to validate the given
OID during conversion. As a result, an out-of-range OID could be
converted to an invalid descriptor ID without an error.

The changes in this PR validate the range of given user-defined OID before
conversion, which encourages the user to check the conversion for
potential problems.

Release note: None

Fixes #58414

Author: Sajjad Rizvi

pkg/ccl/backupccl/restore_planning.go

@@ -116,14 +116,23 @@ func rewriteTypesInExpr(expr string, rewrites DescRewriteMap) (string, error) {
 	if err != nil {
 		return "", err
 	}
+
 	ctx := tree.NewFmtCtx(tree.FmtSerializable)
 	ctx.SetIndexedTypeFormat(func(ctx *tree.FmtCtx, ref *tree.OIDTypeReference) {
 		newRef := ref
-		if rw, ok := rewrites[typedesc.UserDefinedTypeOIDToID(ref.OID)]; ok {
+		id, ok := typedesc.MaybeUserDefinedTypeOIDToID(ref.OID)
+		if !ok {
+			err = typedesc.MakeOIDRangeError(ref.OID)
+			return
+		}
+		if rw, ok := rewrites[id]; ok {
 			newRef = &tree.OIDTypeReference{OID: typedesc.TypeIDToOID(rw.ID)}
 		}
 		ctx.WriteString(newRef.SQLString())
 	})
+	if err != nil {
+		return "", err
+	}
 	ctx.FormatNode(parsed)
 	return ctx.CloseAndGetString(), nil
 }
@@ -348,11 +357,15 @@ func allocateDescriptorRewrites(
 			// Ensure that all referenced types are present.
 			if col.Type.UserDefined() {
 				// TODO (rohany): This can be turned into an option later.
-				if _, ok := typesByID[typedesc.GetTypeDescID(col.Type)]; !ok {
+				id, isValid := typedesc.GetTypeDescID(col.Type)
+				if !isValid {
+					return nil, typedesc.MakeTypeIDRangeError(col.Type)
+				}
+				if _, ok := typesByID[id]; !ok {
 					return nil, errors.Errorf(
 						"cannot restore table %q without referenced type %d",
 						table.Name,
-						typedesc.GetTypeDescID(col.Type),
+						id,
 					)
 				}
 			}
@@ -1029,13 +1042,21 @@ func rewriteIDsInTypesT(typ *types.T, descriptorRewrites DescRewriteMap) {
 	if !typ.UserDefined() {
 		return
 	}
+	tid, ok := typedesc.GetTypeDescID(typ)
+	if !ok {
+		log.Fatalf(context.TODO(), "%v", typedesc.MakeTypeIDRangeError(typ))
+	}
 	// Collect potential new OID values.
 	var newOID, newArrayOID oid.Oid
-	if rw, ok := descriptorRewrites[typedesc.GetTypeDescID(typ)]; ok {
+	if rw, ok := descriptorRewrites[tid]; ok {
 		newOID = typedesc.TypeIDToOID(rw.ID)
 	}
 	if typ.Family() != types.ArrayFamily {
-		if rw, ok := descriptorRewrites[typedesc.GetArrayTypeDescID(typ)]; ok {
+		tid, ok = typedesc.GetArrayTypeDescID(typ)
+		if !ok {
+			log.Fatalf(context.TODO(), "%v", typedesc.MakeTypeIDRangeError(typ))
+		}
+		if rw, ok := descriptorRewrites[tid]; ok {
 			newArrayOID = typedesc.TypeIDToOID(rw.ID)
 		}
 	}

pkg/ccl/changefeedccl/schemafeed/schema_feed.go

@@ -180,13 +180,19 @@ func (t *typeDependencyTracker) removeDependency(typeID, tableID descpb.ID) {
 
 func (t *typeDependencyTracker) purgeTable(tbl catalog.TableDescriptor) {
 	for _, col := range tbl.UserDefinedTypeColumns() {
-		t.removeDependency(typedesc.UserDefinedTypeOIDToID(col.GetType().Oid()), tbl.GetID())
+		id, ok := typedesc.MaybeUserDefinedTypeOIDToID(col.GetType().Oid())
+		if !ok {
+			log.Fatalf(context.TODO(), "%v", typedesc.MakeOIDRangeError(col.GetType().Oid()))
+		}
+		t.removeDependency(id, tbl.GetID())
 	}
 }
 
 func (t *typeDependencyTracker) ingestTable(tbl catalog.TableDescriptor) {
 	for _, col := range tbl.UserDefinedTypeColumns() {
-		t.addDependency(typedesc.UserDefinedTypeOIDToID(col.GetType().Oid()), tbl.GetID())
+		// Not validating the type as the columns are supposed to have a valid id
+		id, _ := typedesc.MaybeUserDefinedTypeOIDToID(col.GetType().Oid())
+		t.addDependency(id, tbl.GetID())
 	}
 }
 

pkg/sql/BUILD.bazel

@@ -302,7 +302,6 @@ go_library(
         "//pkg/sql/inverted",
         "//pkg/sql/lex",
         "//pkg/sql/mutations",
-        "//pkg/sql/oidext",
         "//pkg/sql/opt",
         "//pkg/sql/opt/cat",
         "//pkg/sql/opt/constraint",

pkg/sql/catalog/descs/collection.go

@@ -2180,7 +2180,11 @@ func (dt DistSQLTypeResolver) ResolveType(
 
 // ResolveTypeByOID implements the tree.TypeReferenceResolver interface.
 func (dt DistSQLTypeResolver) ResolveTypeByOID(ctx context.Context, oid oid.Oid) (*types.T, error) {
-	name, desc, err := dt.GetTypeDescriptor(ctx, typedesc.UserDefinedTypeOIDToID(oid))
+	id, ok := typedesc.MaybeUserDefinedTypeOIDToID(oid)
+	if !ok {
+		return nil, typedesc.MakeOIDRangeError(oid)
+	}
+	name, desc, err := dt.GetTypeDescriptor(ctx, id)
 	if err != nil {
 		return nil, err
 	}
@@ -2213,7 +2217,11 @@ func (dt DistSQLTypeResolver) GetTypeDescriptor(
 func (dt DistSQLTypeResolver) HydrateTypeSlice(ctx context.Context, typs []*types.T) error {
 	for _, t := range typs {
 		if t.UserDefined() {
-			name, desc, err := dt.GetTypeDescriptor(ctx, typedesc.GetTypeDescID(t))
+			id, ok := typedesc.GetTypeDescID(t)
+			if !ok {
+				return typedesc.MakeTypeIDRangeError(t)
+			}
+			name, desc, err := dt.GetTypeDescriptor(ctx, id)
 			if err != nil {
 				return err
 			}

pkg/sql/catalog/tabledesc/structured.go

@@ -496,7 +496,11 @@ func (desc *wrapper) getAllReferencedTypesInTableColumns(
 	// collect the closure of ID's referenced.
 	ids := make(map[descpb.ID]struct{})
 	for id := range visitor.OIDs {
-		typDesc, err := getType(typedesc.UserDefinedTypeOIDToID(id))
+		uid, ok := typedesc.MaybeUserDefinedTypeOIDToID(id)
+		if !ok {
+			return nil, typedesc.MakeOIDRangeError(id)
+		}
+		typDesc, err := getType(uid)
 		if err != nil {
 			return nil, err
 		}

pkg/sql/catalog/tabledesc/validate.go

@@ -89,7 +89,9 @@ func (desc *wrapper) GetReferencedDescIDs() catalog.DescriptorIDSet {
 	})
 	// Add collected Oids to return set.
 	for oid := range visitor.OIDs {
-		ids.Add(typedesc.UserDefinedTypeOIDToID(oid))
+		// Assuming that the id converted from OID is valid
+		id, _ := typedesc.MaybeUserDefinedTypeOIDToID(oid)
+		ids.Add(id)
 	}
 	// Add view dependencies.
 	for _, id := range desc.GetDependsOn() {

pkg/sql/catalog/typedesc/BUILD.bazel

@@ -46,13 +46,15 @@ go_test(
         "//pkg/sql/catalog/dbdesc",
         "//pkg/sql/catalog/descpb",
         "//pkg/sql/catalog/schemadesc",
+        "//pkg/sql/oidext",
         "//pkg/sql/privilege",
         "//pkg/sql/types",
         "//pkg/testutils",
         "//pkg/testutils/serverutils",
         "//pkg/util/leaktest",
         "//pkg/util/randutil",
         "@com_github_cockroachdb_redact//:redact",
+        "@com_github_lib_pq//oid",
         "@com_github_stretchr_testify//require",
         "@in_gopkg_yaml_v2//:yaml_v2",
     ],

pkg/sql/catalog/typedesc/type_desc.go

@@ -113,21 +113,36 @@ func TypeIDToOID(id descpb.ID) oid.Oid {
 	return oid.Oid(id) + oidext.CockroachPredefinedOIDMax
 }
 
-// UserDefinedTypeOIDToID converts a user defined type OID into a
-// descriptor ID.
-func UserDefinedTypeOIDToID(oid oid.Oid) descpb.ID {
-	return descpb.ID(oid) - oidext.CockroachPredefinedOIDMax
+// MaybeUserDefinedTypeOIDToID converts a user defined type OID into a
+// descriptor ID. OID of a user-defined type must be greater than
+// CockraochPredefinedOIDMax.
+func MaybeUserDefinedTypeOIDToID(oid oid.Oid) (descpb.ID, bool) {
+	if descpb.ID(oid) <= oidext.CockroachPredefinedOIDMax {
+		return 0, false
+	}
+	return descpb.ID(oid) - oidext.CockroachPredefinedOIDMax, true
+}
+
+// MakeOIDRangeError is a helper to create an error message for invalid user-defined OID conversion.
+func MakeOIDRangeError(oid oid.Oid) error {
+	return errors.Newf("user-defined OID %d is out of range. It must be greater than Max OID: %d.",
+		oid, oidext.CockroachPredefinedOIDMax)
 }
 
 // GetTypeDescID gets the type descriptor ID from a user defined type.
-func GetTypeDescID(t *types.T) descpb.ID {
-	return UserDefinedTypeOIDToID(t.Oid())
+func GetTypeDescID(t *types.T) (descpb.ID, bool) {
+	return MaybeUserDefinedTypeOIDToID(t.Oid())
 }
 
 // GetArrayTypeDescID gets the ID of the array type descriptor from a user
 // defined type.
-func GetArrayTypeDescID(t *types.T) descpb.ID {
-	return UserDefinedTypeOIDToID(t.UserDefinedArrayOID())
+func GetArrayTypeDescID(t *types.T) (descpb.ID, bool) {
+	return MaybeUserDefinedTypeOIDToID(t.UserDefinedArrayOID())
+}
+
+// MakeTypeIDRangeError is a helper to create an error message for invalid type ID conversion.
+func MakeTypeIDRangeError(t *types.T) error {
+	return MakeOIDRangeError(t.Oid())
 }
 
 // TypeDesc implements the Descriptor interface.
@@ -599,10 +614,13 @@ func (desc *immutable) ValidateCrossReferences(
 		}
 	case descpb.TypeDescriptor_ALIAS:
 		if desc.GetAlias().UserDefined() {
-			aliasedID := UserDefinedTypeOIDToID(desc.GetAlias().Oid())
+			aliasedID, isValid := MaybeUserDefinedTypeOIDToID(desc.GetAlias().Oid())
 			if _, err := vdg.GetTypeDescriptor(aliasedID); err != nil {
 				vea.Report(errors.Wrapf(err, "aliased type %d does not exist", aliasedID))
 			}
+			if !isValid {
+				vea.Report(errors.Wrapf(err, "aliased type %d is out of range", aliasedID))
+			}
 		}
 	}
 
@@ -724,7 +742,11 @@ func HydrateTypesInTableDescriptor(
 	hydrateCol := func(col *descpb.ColumnDescriptor) error {
 		if col.Type.UserDefined() {
 			// Look up its type descriptor.
-			name, typDesc, err := res.GetTypeDescriptor(ctx, GetTypeDescID(col.Type))
+			td, ok := GetTypeDescID(col.Type)
+			if !ok {
+				return MakeTypeIDRangeError(col.Type)
+			}
+			name, typDesc, err := res.GetTypeDescriptor(ctx, td)
 			if err != nil {
 				return err
 			}
@@ -787,7 +809,11 @@ func (desc *immutable) HydrateTypeInfoWithName(
 			case types.ArrayFamily:
 				// Hydrate the element type.
 				elemType := typ.ArrayContents()
-				elemTypName, elemTypDesc, err := res.GetTypeDescriptor(ctx, GetTypeDescID(elemType))
+				id, ok := GetTypeDescID(elemType)
+				if !ok {
+					return MakeTypeIDRangeError(elemType)
+				}
+				elemTypName, elemTypDesc, err := res.GetTypeDescriptor(ctx, id)
 				if err != nil {
 					return err
 				}
@@ -925,9 +951,10 @@ func GetTypeDescriptorClosure(typ *types.T) map[descpb.ID]struct{} {
 	if !typ.UserDefined() {
 		return map[descpb.ID]struct{}{}
 	}
+	id, _ := GetTypeDescID(typ)
 	// Collect the type's descriptor ID.
 	ret := map[descpb.ID]struct{}{
-		GetTypeDescID(typ): {},
+		id: {},
 	}
 	if typ.Family() == types.ArrayFamily {
 		// If we have an array type, then collect all types in the contents.
@@ -937,7 +964,8 @@ func GetTypeDescriptorClosure(typ *types.T) map[descpb.ID]struct{} {
 		}
 	} else {
 		// Otherwise, take the array type ID.
-		ret[GetArrayTypeDescID(typ)] = struct{}{}
+		id, _ := GetArrayTypeDescID(typ)
+		ret[id] = struct{}{}
 	}
 	return ret
 }

pkg/sql/catalog/typedesc/type_desc_test.go

@@ -13,6 +13,7 @@ package typedesc_test
 import (
 	"context"
 	"fmt"
+	"math"
 	"testing"
 
 	"github.com/cockroachdb/cockroach/pkg/keys"
@@ -22,10 +23,12 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descpb"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/schemadesc"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/typedesc"
+	"github.com/cockroachdb/cockroach/pkg/sql/oidext"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/types"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
+	"github.com/lib/pq/oid"
 	"github.com/stretchr/testify/require"
 )
 
@@ -784,3 +787,22 @@ func TestValidateTypeDesc(t *testing.T) {
 		}
 	}
 }
+
+func TestOIDToIDConversion(t *testing.T) {
+	tests := []struct {
+		oid   oid.Oid
+		ok    bool
+		tname string
+	}{
+		{oid.Oid(0), false, "default OID"},
+		{oid.Oid(1), false, "PG OID"},
+		{oid.Oid(oidext.CockroachPredefinedOIDMax), false, "User-defined OID"},
+		{oid.Oid(oidext.CockroachPredefinedOIDMax + 1), true, "user-defined OID"},
+		{oid.Oid(math.MaxUint32), true, "max user-defined OID"},
+	}
+
+	for _, test := range tests {
+		_, ok := typedesc.MaybeUserDefinedTypeOIDToID(test.oid)
+		require.Equalf(t, test.ok, ok, "%s test: expected: %t, but found: %t", test.tname, test.ok, ok)
+	}
+}

pkg/sql/database_region_change_finalizer.go

@@ -169,8 +169,14 @@ func (r *databaseRegionChangeFinalizer) repartitionRegionalByRowTables(
 		// the table descriptor with the new type metadata.
 		for i := range tableDesc.Columns {
 			col := &tableDesc.Columns[i]
-			if col.Type.UserDefined() && typedesc.UserDefinedTypeOIDToID(col.Type.Oid()) == r.typeID {
-				col.Type.TypeMeta = types.UserDefinedTypeMetadata{}
+			if col.Type.UserDefined() {
+				tid, ok := typedesc.MaybeUserDefinedTypeOIDToID(col.Type.Oid())
+				if !ok {
+					return typedesc.MakeOIDRangeError(col.Type.Oid())
+				}
+				if tid == r.typeID {
+					col.Type.TypeMeta = types.UserDefinedTypeMetadata{}
+				}
 			}
 		}
 		if err := typedesc.HydrateTypesInTableDescriptor(

pkg/sql/opt/testutils/testcat/test_catalog.go

@@ -794,7 +794,11 @@ func (tt *Table) CollectTypes(ord int) (descpb.IDs, error) {
 
 	ids := make(descpb.IDs, 0, len(visitor.OIDs))
 	for collectedOid := range visitor.OIDs {
-		ids = append(ids, typedesc.UserDefinedTypeOIDToID(collectedOid))
+		id, ok := typedesc.MaybeUserDefinedTypeOIDToID(collectedOid)
+		if !ok {
+			return nil, typedesc.MakeOIDRangeError(collectedOid, id)
+		}
+		ids = append(ids, id)
 	}
 	return ids, nil
 }

pkg/sql/opt_catalog.go

@@ -2274,7 +2274,11 @@ func collectTypes(col catalog.Column) (descpb.IDs, error) {
 
 	ids := make(descpb.IDs, 0, len(visitor.OIDs))
 	for collectedOid := range visitor.OIDs {
-		ids = append(ids, typedesc.UserDefinedTypeOIDToID(collectedOid))
+		id, ok := typedesc.MaybeUserDefinedTypeOIDToID(collectedOid)
+		if !ok {
+			return nil, typedesc.MakeOIDRangeError(collectedOid)
+		}
+		ids = append(ids, id)
 	}
 	return ids, nil
 }

pkg/sql/pg_catalog.go

@@ -30,7 +30,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/schemaexpr"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/tabledesc"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/typedesc"
-	"github.com/cockroachdb/cockroach/pkg/sql/oidext"
 	"github.com/cockroachdb/cockroach/pkg/sql/parser"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
@@ -2437,17 +2436,18 @@ https://www.postgresql.org/docs/9.5/catalog-pg-type.html`,
 					return true, nil
 				}
 
+				// Check if it is a user defined type.
+				id, ok := typedesc.MaybeUserDefinedTypeOIDToID(ooid)
+
 				// This oid is not a user-defined type and we didn't find it in the
 				// map of predefined types, return false. Note that in common usage we
 				// only really expect the value 0 here (which cockroach uses internally
 				// in the typelem field amongst others). Users, however, may join on
 				// this index with any value.
-				if ooid <= oidext.CockroachPredefinedOIDMax {
+				if !ok {
 					return false, nil
 				}
 
-				// Check if it is a user defined type.
-				id := typedesc.UserDefinedTypeOIDToID(ooid)
 				typDesc, err := p.Descriptors().GetImmutableTypeByID(ctx, p.txn, id, tree.ObjectLookupFlags{})
 				if err != nil {
 					if errors.Is(err, catalog.ErrDescriptorNotFound) {