DF-0093
Kernel heap pointer leaked to userspace via shmctl(IPC_STAT) shm_internal field + struct padding
Summary
sys_shmctl IPC_STAT (sysv_shm.c:424): copyout(shmseg,uap->buf,sizeof(inbuf)) copies entire in-kernel struct shmid_ds incl void *shm_internal (shm.h:83) which holds kmalloc heap ptr shm_handle (set :550). Any process with IPC_R incl creator/owner (shmget IPC_CREAT) receives live KMALLOC heap addr -> KASLR defeat/heap layout. Also struct padding between ipc_perm.seq/key and shm_nattch/shm_atime never written -> uninitialized heap residue leaked. Unprivileged (creator owns segment IPC_R).