Source: bugschromiumorg/p/project-zero/issues/detail?id=837
TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same
Many many places in the kernel do this and there are a great many very exploitable bugs as a result
********
task_t is just a typedef for a task struct * It's the abstractio ...
Source: bugschromiumorg/p/project-zero/issues/detail?id=831
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer We can get this pointer used
by calli ...