Re: [PATCH vulns 0/1] change the sha1 for CVE-2024-26661

[Greg KH <gregkh@linuxfoundation.org>]

On Mon, Aug 04, 2025 at 03:47:16PM +0800, Qingfeng Hao wrote:
> 
> On 8/2/25 16:19, Greg KH wrote:
> > CAUTION: This email comes from a non Wind River email account!
> > Do not click links or open attachments unless you recognize the sender and know the content is safe.
> > 
> > On Fri, Aug 01, 2025 at 12:04:54PM +0000, Hao, Qingfeng wrote:
> > > Hi Greg,
> > > Thanks for your check and comments. Sorry that I mistakenly changed
> > > the files of .dyad and .json. I'll pay attention next time.
> > > The original fix 66951d98d9bf ("drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'")
> > > or fb5a3d037082 for CVE-2024-26661 didn't fix the CVE (or even made it worse) because the key change
> > > is to check if “tg” is NULL before referencing it, but the fix does NOT do that correctly:
> > > +       if (!abm && !tg && !panel_cntl)
> > > +               return;
> > > Here "&&" should have been "||".
> > > The follow-up commit 17ba9cde11c2 fixes this by:
> > > -       if (!abm && !tg && !panel_cntl)
> > > +       if (!abm || !tg || !panel_cntl)
> > >                  return;
> > > So we consider that 66951d98d9bf is not a complete fix. It actually made things worse.
> > > 66951d98d9bf and 17ba9cde11c2 together fix CVE-2024-26661.
> > > The same problem happened to CVE-2024-26662.
> > > If you agree with the above analysis, should I append 17ba9cde11c2bfebbd70867b0a2ac4a22e573379 to CVE-2024-26661.sha1 ?
> > I think that the original CVE should just be rejected and a new one
> > added for the other sha1 you have pointed out that actually fixes the
> > issue because the first one does not do anything.  Is that ok?
> Thanks Greg.
> Just to be clear, 66951d98d9bf was supposed to fix CVE-2024-26661 but it
> failed
> to do that. Then 17ba9cde11c2 was added, together with 66951d98d9bf, finally
> fixing CVE-2024-26661.
> 
> 1) I'm OK with rejecting CVE-2024-26661 and creating a new CVE.
> BTW, since I'm new to kernel CVE management, why do we reject a valid CVE
> just
> because the initial fix doesn't work ?

Because almost all CVEs are tied to the commits that resolve them.  But,
we do have a way to have multiple commit ids for a single CVE, as you
point out, so we should probably just do that here as well.

> 2) If we do need to reject CVE-2024-26661 and create a new CVE, is there
> anything I should do ?

Nope!

> 3) I just did some search and found that some sha1 files contain multiple
> commit ids. The sha1 file should contain all of the commits that fix the CVE
> ?
> Or just the last commit of the commits that fix the CVE ?

Let me just go and add this id to the CVE itself, as it makes more sense
as you point out, both commits need to be present here to resolve the
issue.

I've now done that, but note, it didn't change anything here, the fixes
and vulnerable entries still all remain the same, so no one really will
notice this :)

thanks,

greg k-h