Tags: kernel pwn heap
Rating: 5.0
Null byte poisoning in alloc and edit, and limited OOB write in edit in kmalloc-128. Heap massage to create a free chunk in the driver's note chunk linked list, and replace it with a msg_msg object that links to msg_msg objects in kmalloc-96, allowing the driver to traverse into a different slab. Utilize edit to corrupt the size field of a kmalloc-96 msg_msg object to obtain OOB read and KASLR leak from subprocess_info. Now, redo the heap massage, fix the driver's linked list, and double free to freelist poison onto modprobe_path.