Tags: kernel pwn
Rating:
* Overlap pages with OOB write of 1 byte to pipe_buffer->page
* Free a page, but you still have a reference to that page in another pipe
* Spray cred to populate the page with cred_jar
* Reoccupy cred with fork()
* Write integers 0's to overwrite id's in the cred struct through the pipe
* Call system in one of the forked process to get flag
