tl;dr No check is done before the call to `_clear_user` to ensure that the address that is being passed is a userspace address. So we can overwrite arbitrary kernel address with null's. Also there is no bounds check being done while looking up the address to `vm_mmap` which allows us to leak the address of the creds structure.

Original writeup (https://amritabi0s.wordpress.com/2019/03/19/confidence-ctf-p4fmt-write-up/).