File 0333-qemu-bridge-helper-restrict-interfa.patch of Package qemu-linux-user.15026

From 73f7eca1fd9cc7ae680a6898fa286855113c3a0d Mon Sep 17 00:00:00 2001
From: Liang Yan <lyan@suse.com>
Date: Thu, 25 Jul 2019 13:28:26 -0400
Subject: [PATCH] qemu-bridge-helper: restrict interface name

The interface names in qemu-bridge-helper are defined to be
of size IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACLs rules. If user supplied '--br=bridge' name
is not restricted to the same length, it could lead to ACL bypass
issue. Restrict bridge name to IFNAMSIZ, including null byte.

Reported-by: Riccardo Schirone <rschiron@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[LY: BSC#1140402 CVE-2019-13164]
Signed-off-by: Liang Yan <lyan@suse.com>
---
 qemu-bridge-helper.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 73ac49ba66..043b97e8c9 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -108,6 +108,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
         }
         *argend = 0;
 
+        if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
+            fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
+            fclose(f);
+            errno = EINVAL;
+            return -1;
+        }
+
         if (strcmp(cmd, "deny") == 0) {
             acl_rule = calloc(1, sizeof(*acl_rule));
             if (!acl_rule) {
@@ -263,6 +270,10 @@ int main(int argc, char **argv)
             return EXIT_FAILURE;
         }
     }
+    if (strlen(bridge) >= IFNAMSIZ) {
+        fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
+        return EXIT_FAILURE;
+    }
 
     if (bridge == NULL || unixfd == -1) {
         usage();