@@ -132,6 +132,20 @@ static inline void isa_init_ioport(ISADevice *dev, uint16_t ioport)
void isa_register_ioport(ISADevice *dev, MemoryRegion *io, uint16_t start)
{
+ if (io->ops->valid.min_access_size > 1 ||
+ io->ops->valid.max_access_size < 4) {
+ warn_report_once("Monkey-patching ISA I/O access sizes "
+ "(side effect of CVE-2020-13754, only for QEMU v5.1)");
+ /*
+ * To be backward compatible with IBM-PC bus, ISA bus must accept
+ * 8-bit accesses.
+ */
+ io->ops->valid.min_access_size = 1;
+ /*
+ * EISA bus must accept 32-bit accesses.
+ */
+ io->ops->valid.max_access_size = 4;
+ }
memory_region_add_subregion(isabus->address_space_io, start, io);
isa_init_ioport(dev, start);
}
Since commit 5d971f9e67 we don't accept mismatching sizes in memory_region_access_valid(). This gives troubles when a device is on an ISA bus, because the CPU is free to use 8/16-bit accesses on the bus (or up to 32-bit on EISA bus), regardless what range is valid for the device. Monkey-patch the ISA device MemoryRegionOps to force it to accepts 8/16/32-bit accesses. This should be reverted after the release and fixed in a more elegant manner. Related bug reports: - https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ - https://bugs.debian.org/964793 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 - https://bugs.launchpad.net/bugs/1886318 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- hw/isa/isa-bus.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)