CVE-2023-28772 - Uncovering a Linux Kernel Buffer Overflow in lib/seq_buf.c’s seq_buf_putmem_hex

---

Linux is heralded for its robust security, but even the best software can have vulnerabilities. In this exclusive post, we’ll break down the buffer overflow discovered in the Linux kernel before version 5.13.3—dubbed CVE-2023-28772—directly related to the seq_buf_putmem_hex function in lib/seq_buf.c. We’ll explain what this means (even if you’re not a kernel developer), show code snippets, reference official write-ups, and outline potential exploit scenarios.

What’s the Big Deal With CVE-2023-28772?

A buffer overflow happens when a program writes more data to a spot in memory than it’s supposed to hold. With this bug, the seq_buf_putmem_hex function didn’t check if there was enough space in the target buffer. This allowed attackers—or even regular users, in the right scenario—to overwrite adjacent memory. That can lead to kernel crashes or, in the hands of the right hacker, possible privilege escalation or code execution.

Here’s the vulnerable part, simplified for clarity

void seq_buf_putmem_hex(struct seq_buf *m, const void *mem,
                        size_t len, size_t groupsize)
{
    const u8 *p = mem;
    size_t i;

    for (i = ; i < len; i++) {
        /* No check if m->size is enough! */
        seq_buf_puts(m, hex_asc[*p]);
        p++;
    }
}

The function writes hex output for len bytes into m (the buffer), without checking if the destination has enough room. In the kernel, memory safety is crucial—overruns like this can be catastrophic.

The patch added careful length checks before writing to the buffer

if (m->len + 2 > m->size) {
    m->overflow = 1;
    return;
}

Now, before anything gets written, the code makes sure it doesn’t overrun the buffer.

Finding the Details: Official References

- NVD Detail Page — CVE-2023-28772
- Linux Kernel Commit
- CVE Report Page

Everything points out it’s been fixed in Linux kernel v5.13.3 and later.

Can It Actually Be Exploited?

Who’s at Risk?  
This bug is mostly a risk for things running custom or unpatched kernels. Because the function is part of Linux internal utilities, an attacker would need to trigger it through some kernel code path—like a vulnerable driver or module that uses this function for logging or exposing system data.

Simple Proof-of-Concept (POC) Approach

Below is a pseudo-PoC, showing how someone might try to provoke the overflow (real exploit needs kernel module access):

// kernel module skeleton
struct seq_buf *buf = kmalloc(sizeof(struct seq_buf), GFP_KERNEL);
char big_data[2048];
memset(big_data, x41, sizeof(big_data)); // fill with 'A's

// Intentionally pass huge chunk
seq_buf_putmem_hex(buf, big_data, sizeof(big_data), 1);
// Without patch: m->len will overflow buffer, leading to chaos!

If the buffer size isn’t big enough, or len is huge, this can overflow. Before the patch, Linux didn’t prevent this—making the bug possible.

What Should You Do?

Update Your Kernel!  
If your system is running a Linux kernel version lower than 5.13.3, you need to patch or upgrade. Major distributions have already included security patches.

- Debian Security Tracker – CVE-2023-28772
- Red Hat Bugzilla – CVE-2023-28772

If you run custom kernel builds (embedded devices, etc.), check if the patch is present in your tree!

Final Thoughts

CVE-2023-28772 is a perfect example of why even small, overlooked checks in system code matter. In Linux, it takes only one unchecked buffer write to introduce a security hole, and attackers are always watching. Stay updated—don’t let old bugs become new headaches.


*For more technical breakdowns like this, subscribe or comment below!*

Timeline

Published on: 03/23/2023 15:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC