Rating: 0

The vulnerability is at edit operation
copy_from_user function can actually be manipulated
we can stop at this operation and change heap layout
so that subsequent copy can tamper critical structure
the idea is to modify the size of next note
and produce an OOB R&W