Tags: kernel pwn heap 

Rating: 5.0

Null byte poisoning in alloc and edit, and limited OOB write in edit in kmalloc-128. Heap massage to create a free chunk in the driver's note chunk linked list, and replace it with a msg_msg object that links to msg_msg objects in kmalloc-96, allowing the driver to traverse into a different slab. Utilize edit to corrupt the size field of a kmalloc-96 msg_msg object to obtain OOB read and KASLR leak from subprocess_info. Now, redo the heap massage, fix the driver's linked list, and double free to freelist poison onto modprobe_path.

Original writeup (https://www.willsroot.io/2021/10/pbctf-2021-nightclub-writeup-more-fun.html).