1 files changed, 39 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0003-image-Return-an-error-message-from-fit_config_verify.patch b/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0003-image-Return-an-error-message-from-fit_config_verify.patch
new file mode 100644
index 000000000..fd8ceecf0
--- /dev/null
+++ b/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0003-image-Return-an-error-message-from-fit_config_verify.patch
@@ -0,0 +1,39 @@
+From 647e43f0aee09ef33d2159ad95c7f3499d8fd8a4 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Tue, 31 Mar 2020 18:43:55 +0200
+Subject: [PATCH] image: Return an error message from fit_config_verify_sig()
+
+This function only returns an error message sometimes. Update it to always
+return an error message if one is available. This makes it easier to see
+what went wrong.
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+---
+ common/image-sig.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/common/image-sig.c b/common/image-sig.c
+index eda5e1353ab0..a664f4a40945 100644
+--- a/common/image-sig.c
++++ b/common/image-sig.c
+@@ -415,13 +415,14 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
+ 		goto error;
+ 	}
+ 
+-	return verified ? 0 : -EPERM;
++	if (verified)
++		return 0;
+ 
+ error:
+ 	printf(" error!\n%s for '%s' hash node in '%s' config node\n",
+ 	       err_msg, fit_get_name(fit, noffset, NULL),
+ 	       fit_get_name(fit, conf_noffset, NULL));
+-	return -1;
++	return -EPERM;
+ }
+ 
+ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
+-- 
+2.17.1
+