CVE-2022-2380: 
Linux Kernel vulnerability analysis and mitigation

The Linux kernel was found vulnerable to out-of-bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function, identified as CVE-2022-2380. This vulnerability was discovered by Zheyu Ma and affects the Silicon Motion SM712 framebuffer driver. The issue was disclosed on July 12, 2022 (Ubuntu Security).

The vulnerability exists in the Silicon Motion SM712 framebuffer driver's read function (smtcfbread) which did not properly handle very small reads. The issue was caused by improper endianness fixup-code and pointer post-decrement operations in the fbreadl() function. The vulnerability has been assigned a CVSS 3 Severity Score of 5.5 (Medium) (Ubuntu Security).

When exploited, this vulnerability could allow local attackers to cause a denial of service condition by crashing the kernel. The issue specifically manifests when reading three bytes from the framebuffer, leading to a page fault that could crash the system (Kernel Git).

The vulnerability has been fixed in various Linux kernel versions. The fix involves removing the open-coded endianness fixup-code and moving the pointer post-decrement operation out of the fb_readl() function. Ubuntu has released patches for multiple versions: Ubuntu 20.04 LTS (focal) - Fixed in 5.4.0-117.132, Ubuntu 18.04 LTS (bionic) - Fixed in 4.15.0-189.200, and Ubuntu 16.04 LTS (xenial) - Fixed in 4.4.0-239.273 (Ubuntu Security).