DF-0179
Unconditional kernel address leak via kern.proc sysctl (KASLR bypass)
Summary
fill_kinfo_proc/lwp/kthread write raw kernel addresses into kinfo structs exported via sysctl: kp_paddr(:128), kp_fd(:129), kl_wchan(:272), kp_ktaddr(:301), kp_lwp.kl_wchan(:321). No masking. ps_showallprocs=1 default -> any unpriv user reads kernel heap addresses of all processes. KASLR bypass + heap-grooming primitive for exploit chaining.