Rating: 5.0
qKarachter was a kernel challenge, which provided a misc device that can be interacted with ioctl(2). In summary:
* uint8 overflow when assigning readPos[idx] @ readData
* readPos[idx] is still set even when copy_to_user failed and read pointer didn't get incremented @ readData
* free next adjacent chunk when read pointer == max buffer pointer and readPos[idx] == 0, which can be turned into double free
* overwrite fd to get an allocation on modprobe_path, overwrite modprobe_path to do modprobe_path exploit
Full writeup can be found here [https://circleous.blogspot.com/2022/04/crewctf-2022-qkarachter.html](https://circleous.blogspot.com/2022/04/crewctf-2022-qkarachter.html)