ESI-SYSV is vulnerable to stack-based buffer overflow when handling I/O instructions in atl2_xmit_interrupt. With a carefully crafted packet, user-level attackers may be able to execute arbitrary code in the context of the xmit thread.
The Aspeed BMC can be controlled by two separate elements. The first element is a IPC (Inter Processor Communication) interface that allows the BMC to be controlled through a set of registers/variables on real CPUs (ideally, there would be two). Examples of host systems being controlled include modern ARM-based architectures, ARM Cortex-A9 or newer, and PowerPC-based systems. The second element uses the UART to provide a debug interface, screen, or a limited configuration interface. This CVE applies to UART-based SoC debug interface and Watchdog setup. Aside from being embedded WTC support, the GPIO subsystem also allows for basic GPIO support, but it suffers from several bugs in synchronization: Detecting a valid alternate function pin before its associated GPIO has been configured, Checking if a pin is an alternate function pin (APLINK), Reverting APLINK to the default configuration before performing the pin specific clock_enable operation. This CVE applies to the specific cases of iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup.
User-level access to the platform's power management construct generic ePwmPCLK_PMPwmPCLK() and generic eRstN registers in the Platform Abstraction Layer (PAL) allows malicious users to alter the power management architecture by resetting power management units (PMUs) and the reset vector for obsolete processors and devices. d2c66b5586