Title bcm2835/rng: 1-byte MMIO read hits assert in bcm2835_rng_read() Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf version: QEMU emulator version 10.2.50 (v10.2.0-690-g2339d0a1cf-dirty) Device and source file hw/misc/bcm2835_rng.c (`bcm2835-rng` on Raspberry Pi boards) I checked `info mtree -f` after boot and the relevant window is `0x3f104000-0x3f10400f` (`bcm2835-rng`), so the access at `0x3f104000` is in-range. Description of problem The BCM2835 RNG model assumes all accesses are 32-bit and enforces that with `assert(size == 4)` in both the read and write handlers. On `raspi2b`, a narrow read to the RNG base is enough to hit the assert. So this is another case where a malformed guest MMIO access takes the whole process down instead of being treated as a guest error. Key code: ```c /* hw/misc/bcm2835_rng.c */ static uint64_t bcm2835_rng_read(void *opaque, hwaddr offset, unsigned size) { ... assert(size == 4); switch (offset) { case 0x0: res = s->rng_ctrl; break; ... } ``` Root cause analysis Input source: guest MMIO read with an unsupported access size. Missing validation: width checking is implemented as `assert(size == 4)`. Bug class: guest-triggerable assertion / host DoS. Impact: a 1-byte read aborts the emulator. Steps to Reproduce Configuration ```bash ./configure --target-list=arm-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) Using the live addresses above, I reproduced it with qtest like this: ```bash cat <<'EOF' | ./qemu-system-arm -display none -machine raspi2b,accel=qtest -nodefaults -monitor none -serial none -qtest stdio readw 0x3f104000 EOF ``` Observed output (excerpt) ```text [I 0.000000] OPENED [R +0.013467] readw 0x3f104000 qemu-system-arm: ../qemu-2339d0a1cfac6ecc667e6e062a593865c1541c35/hw/misc/bcm2835_rng.c:43: bcm2835_rng_read: Assertion `size == 4' failed. [local] exit code: -6 ``` Note I also checked a normal 32-bit read from the same register block. That one returns normally; only the width mismatch trips the assert.