Title exynos4210/combiner: out-of-range read reaches hw_error() Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf Device and source file hw/intc/exynos4210_combiner.c (`exynos4210.combiner`) After starting the board, `info mtree -f` shows the accessed register in `0x10448000-0x10448107` (`exynos4210-combiner`), so the access at `0x10448104` is in-range. Description of problem The Exynos combiner read path falls back to `s->reg_set[offset >> 2]` for offsets that are not handled explicitly, but first checks: `if (offset >> 2 >= IIC_REGSET_SIZE) hw_error(...)` So a guest read beyond the valid register set does not just return 0 or log a guest error. It goes straight to `hw_error()`. Key code: ```c /* hw/intc/exynos4210_combiner.c */ default: if (offset >> 2 >= IIC_REGSET_SIZE) { hw_error("exynos4210.combiner: overflow of reg_set by 0x" HWADDR_FMT_plx "offset ", offset); } val = s->reg_set[offset >> 2]; break; ``` Root cause analysis Input source: guest MMIO read beyond the valid combiner register set. Missing validation: overflow is handled with `hw_error()`. Bug class: guest-triggerable fatal error / host DoS. Impact: an out-of-range read kills the emulator. Steps to Reproduce Configuration ```bash ./configure --target-list=arm-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) With the runtime layout confirmed first, this is the qtest sequence I used: ```bash cat <<'EOF' | ./qemu-system-arm -accel qtest -M smdkc210 -display none -nodefaults -monitor none -serial none -qtest stdio readl 0x10448104 EOF ``` Observed output (excerpt) ```text [I 0.000000] OPENED [R +0.013592] readl 0x10448104 qemu: hardware error: exynos4210.combiner: overflow of reg_set by 0x0000000000000104offset CPU #0: R00=00000000 R01=00000000 R02=00000000 R03=00000000 R04=00000000 R05=00000000 R06=00000000 R07=00000000 R08=00000000 R09=00000000 R10=00000000 R11=00000000 R12=00000000 R13=00000000 R14=00000000 R15=00000000 PSR=400001d3 -Z-- A svc32 s00=00000000 s01=00000000 d00=0000000000000000 s02=00000000 s03=00000000 d01=0000000000000000 s04=00000000 s05=00000000 d02=0000000000000000 s06=00000000 s07=00000000 d03=0000000000000000 s08=00000000 s09=00000000 d04=0000000000000000 s10=00000000 s11=00000000 d05=0000000000000000 s12=00000000 s13=00000000 d06=0000000000000000 s14=00000000 s15=00000000 d07=0000000000000000 s16=00000000 s17=00000000 d08=0000000000000000 s18=00000000 s19=00000000 d09=0000000000000000 s20=00000000 s21=00000000 d10=0000000000000000 [local] exit code: -6 ``` Note The reproducer address is still inside the mapped combiner window on this board. The crash comes from the internal register-set bound check, not from an unmapped access.