DiceCTF 2021 HashBrown Writeup: From Kernel Module Hashmap Resize Race Condition to FG-KASLR Bypass

This writeup documents a DiceCTF kernel challenge (HashBrown) that contains a race during hashmap resize enabling a use-after-free; the author describes creating a stable race with userfaultfd to leak kernel pointers (via shm_file_data) and obtain arbitrary write primitives to overwrite kernel writable strings (e.g., modprobe_path) for privilege escalation, including exploitation details and final exploit results.