<!-- This is the upstream QEMU issue tracker. If you are able to, it will greatly facilitate bug triage if you attempt to reproduce the problem with the latest qemu.git master built from source. See https://www.qemu.org/download/#source for instructions on how to do this. QEMU generally supports the last two releases advertised on https://www.qemu.org/. Problems with distro-packaged versions of QEMU older than this should be reported to the distribution instead. See https://www.qemu.org/contribute/report-a-bug/ for additional guidance. If this is a security issue, please consult https://www.qemu.org/contribute/security-process/ --> ## Version commit: 2339d0a1cf tag: v10.2.0-690-g2339d0a1cf ## Description of problem `pci_host_config_read_common()` / `pci_host_config_write_common()` still enforce access length with an assertion: ```c /* hw/pci/pci_host.c */ assert(len <= 4); ``` On the `powernv8` PHB3 SPCI/XSCOM path, an 8-byte access can be forwarded as-is into this function, which trips the assertion and aborts QEMU (DoS). ```c /* hw/pci-host/pnv_phb3_pbcq.c */ static uint64_t pnv_pbcq_spci_xscom_read(void *opaque, hwaddr addr, unsigned size) { ... if (offset == PBCQ_SPCI_ASB_DATA) { return pnv_phb3_reg_read(pbcq->phb, pbcq->spci_regs[PBCQ_SPCI_ASB_ADDR], 8); } ... } ``` This is the same bug class as other guest-reachable `assert()` issues: an input validation failure is handled as an internal invariant failure, terminating the process. ## Steps to Reproduce ### Configuration ```bash mkdir build-ppc-len && cd build-ppc-len CC=clang CC_FOR_BUILD=clang \ ../configure --target-list=ppc64-softmmu --enable-debug --disable-strip ninja -j"$(nproc)" qemu-system-ppc64 ``` ### Reproducer ```bash cat << "EOF" | ./qemu-system-ppc64 \ -M powernv8 -accel tcg -cpu POWER8 \ -display none \ -serial none -monitor none \ -qtest stdio -S \ -d guest_errors -D /tmp/pci_len_pnv.log writeq 0x3fc009013c000 0x140 writeq 0x3fc009013c010 0x8000000000000000 writeq 0x3fc009013c000 0x130 readq 0x3fc009013c010 EOF ``` ### Report ```bash qemu-system-ppc64: ../hw/pci/pci_host.c:109: uint32_t pci_host_config_read_common(PCIDevice *, uint32_t, uint32_t, uint32_t): Assertion `len <= 4' failed. ``` ### Fix recommendation - Replace `assert(len <= 4)` with explicit bounds checking and safe return. <!-- Attach logs, stack traces, screenshots, etc. Compress the files if necessary. If using libvirt, libvirt logs and XML domain information may be relevant. --> <!-- The line below ensures that proper tags are added to the issue. Please do not remove it. -->