DF-0094
shmrealloc initializes OLD shmsegs[] instead of newsegs[] - heap OOB write + uninit new array (dead code)
Summary
shmrealloc (sysv_shm.c:692-698): after kmalloc newsegs + bcopy shmalloced entries, second init loop writes shmsegs[i] (OLD array) instead of newsegs[i] -> writes past old shmalloced-slot array = heap OOB write; newsegs[shmalloced..shmmni-1] NEVER initialized (kmalloc not M_ZERO) -> random shm_perm.mode/key/seq + random shm_internal ptr reachable by shm_find_segment_by_key/shmid. DEAD CODE: shminit sets shmalloced=shmmni (:717) before user code, shmmni is CTLFLAG_RD (:136), early-return guard shmalloced>=shmmni (:689) always taken. Real bug would activate if shmmni made growable at runtime.