I am trying to exploit a heap overflow in Linux kernel with all the protections enable i.e. SMAP and SMEP. What I understand is that SMEP doesn't allow me to execute userland code and SMAP doesn't allow me to read or write to userland. But I am wondering: if I replace the free list pointer of some free object with some userland pointer, will I be able to allocate the object in userland?
Also I tried replacing the free list pointer but I am getting weird crashes which I am not able to debug properly. I am not sure are they because of me trying to allocate something in userland.