Re: [PATCH] mei: vsc: fix potential array bounds violation in ACE address allocation

From: Greg KH
Date: Sun Aug 17 2025 - 07:10:15 EST


On Fri, Aug 01, 2025 at 05:06:00PM +0800, WangYuli wrote:
> When ACE images require dynamic address allocation, the code accesses
> frags[frag_index - 1] without bounds checking. This could lead to:
>
> - Array underflow if frag_index is 0

How can that happen? It's coming directly from a static array in the
code itself that it declared right above these lines?

> - Use of uninitialized fragment data for address calculations

Where will that come from?

> - Silent failures in address allocation

Where?

> Add proper validation before accessing the previous fragment and
> provide clear error messages when validation fails.

But how can any of this really happen? If it does, it's a bug in the
code that people added. So why is any of this needed to the code today?

How did you hit any of the above, and how was this patch tested?

thanks,

greg k-h