Tags: pwn
Rating: 4.0
tl;dr No check is done before the call to `_clear_user` to ensure that the address that is being passed is a userspace address. So we can overwrite arbitrary kernel address with null's. Also there is no bounds check being done while looking up the address to `vm_mmap` which allows us to leak the address of the creds structure.