aspeed_i2c guest-triggerable assert
<!--
This is the upstream QEMU issue tracker.
If you are able to, it will greatly facilitate bug triage if you attempt
to reproduce the problem with the latest qemu.git master built from
source. See https://www.qemu.org/download/#source for instructions on
how to do this.
QEMU generally supports the last two releases advertised on
https://www.qemu.org/. Problems with distro-packaged versions of QEMU
older than this should be reported to the distribution instead.
See https://www.qemu.org/contribute/report-a-bug/ for additional
guidance.
If this is a security issue, please consult
https://www.qemu.org/contribute/security-process/
-->
I found a guest-triggerable assertion in aspeed_i2c bus device
## Version
commit: 2339d0a1cf
tag: v10.2.0-690-g2339d0a1cf
## Description of problem
In the Aspeed I2C bus device model, the MMIO write handler for the slave DMA length register (`A_I2CS_DMA_LEN`) uses an `assert()` on a guest-controlled field. If the guest writes a value with the `TX_BUF_LEN` field set to non-zero, QEMU aborts immediately instead of rejecting the invalid value gracefully.
```c
/*
hw/i2c/aspeed_i2c.c
*/
case A_I2CS_DMA_LEN:
assert(FIELD_EX32(value, I2CS_DMA_LEN, TX_BUF_LEN) == 0);
if (FIELD_EX32(value, I2CS_DMA_LEN, RX_BUF_LEN_W1T)) {
ARRAY_FIELD_DP32(bus->regs, I2CS_DMA_LEN, RX_BUF_LEN,
FIELD_EX32(value, I2CS_DMA_LEN, RX_BUF_LEN));
} else {
bus->regs[R_I2CS_DMA_LEN] = value;
}
break;
...
static const MemoryRegionOps aspeed_i2c_bus_ops = {
.read = aspeed_i2c_bus_read,
.write = aspeed_i2c_bus_write,
.endianness = DEVICE_LITTLE_ENDIAN,
};
```
## Steps to Reproduce
### Configuration
```bash
./configure --target-list=arm-softmmu --enable-debug --disable-strip
make -j$(nproc)
```
### Reproducer
```bash
cat <<'EOF' | ./qemu-system-arm \
-M ast2600-evb -nographic -monitor none -serial none \
-qtest stdio
writeb 0x1E78A00C 0x04
writeb 0x1E78A2AC 0x01
EOF
```
### Other information
```bash
cat <<'EOF' | ./qemu-system-arm \
-M ast2600-evb -nographic -monitor none -serial none \
-qtest stdio
writeb 0x1E78A00C 0x04
writeb 0x1E78A2AC 0x01
EOF
qemu-system-arm: ../hw/i2c/aspeed_i2c.c:705: aspeed_i2c_bus_new_write:
Assertion `FIELD_EX32(value, I2CS_DMA_LEN, TX_BUF_LEN) == 0' failed.
```
issue