Since commit 5d971f9e67 we don't accept mismatching sizes in memory_region_access_valid(). This gives troubles when a device is on an ISA bus, because the CPU is free to use 8/16-bit accesses on the bus (or up to 32-bit on EISA bus), regardless what range is valid for the device.
Monkey-patch the ISA device MemoryRegionOps to force it to accepts 8/16/32-bit accesses. This should be reverted after the release and fixed in a more elegant manner. Related bug reports: - https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.per...@citrix.com/T/ - https://bugs.debian.org/964793 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 - https://bugs.launchpad.net/bugs/1886318 Signed-off-by: Philippe Mathieu-Daudé <f4...@amsat.org> --- hw/isa/isa-bus.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hw/isa/isa-bus.c b/hw/isa/isa-bus.c index 58fde178f9..c8aed2f55f 100644 --- a/hw/isa/isa-bus.c +++ b/hw/isa/isa-bus.c @@ -132,6 +132,20 @@ static inline void isa_init_ioport(ISADevice *dev, uint16_t ioport) void isa_register_ioport(ISADevice *dev, MemoryRegion *io, uint16_t start) { + if (io->ops->valid.min_access_size > 1 || + io->ops->valid.max_access_size < 4) { + warn_report_once("Monkey-patching ISA I/O access sizes " + "(side effect of CVE-2020-13754, only for QEMU v5.1)"); + /* + * To be backward compatible with IBM-PC bus, ISA bus must accept + * 8-bit accesses. + */ + io->ops->valid.min_access_size = 1; + /* + * EISA bus must accept 32-bit accesses. + */ + io->ops->valid.max_access_size = 4; + } memory_region_add_subregion(isabus->address_space_io, start, io); isa_init_ioport(dev, start); } -- 2.21.3