Index: sys/amd64/include/vmparam.h
===================================================================
--- sys/amd64/include/vmparam.h	(revision 260205)
+++ sys/amd64/include/vmparam.h	(working copy)
@@ -170,7 +170,7 @@
 #define	VM_MAXUSER_ADDRESS	UVADDR(NUPML4E, 0, 0, 0)
 
 #define	SHAREDPAGE		(VM_MAXUSER_ADDRESS - PAGE_SIZE)
-#define	USRSTACK		SHAREDPAGE
+#define	USRSTACK		(SHAREDPAGE - 2 * PAGE_SIZE)
 
 #define	VM_MAX_ADDRESS		UPT_MAX_ADDRESS
 #define	VM_MIN_ADDRESS		(0)
Index: sys/conf/files
===================================================================
--- sys/conf/files	(revision 260205)
+++ sys/conf/files	(working copy)
@@ -2812,6 +2812,7 @@
 kern/kern_mutex.c		standard
 kern/kern_ntptime.c		standard
 kern/kern_osd.c			standard
+kern/kern_pax.c			standard
 kern/kern_physio.c		standard
 kern/kern_pmc.c			standard
 kern/kern_poll.c		optional device_polling
Index: sys/conf/options
===================================================================
--- sys/conf/options	(revision 260205)
+++ sys/conf/options	(working copy)
@@ -912,3 +912,6 @@
 RANDOM_FORTUNA	opt_random.h
 RANDOM_DEBUG	opt_random.h
 RANDOM_RWFILE	opt_random.h
+
+# Pax ASLR
+PAX_ASLR		opt_pax.h
Index: sys/kern/imgact_elf.c
===================================================================
--- sys/kern/imgact_elf.c	(revision 260205)
+++ sys/kern/imgact_elf.c	(working copy)
@@ -34,6 +34,7 @@
 #include "opt_capsicum.h"
 #include "opt_compat.h"
 #include "opt_core.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/capability.h>
@@ -47,6 +48,7 @@
 #include <sys/mount.h>
 #include <sys/mman.h>
 #include <sys/namei.h>
+#include <sys/pax.h>
 #include <sys/pioctl.h>
 #include <sys/proc.h>
 #include <sys/procfs.h>
@@ -793,9 +795,12 @@
 		 * Honour the base load address from the dso if it is
 		 * non-zero for some reason.
 		 */
-		if (baddr == 0)
+		if (baddr == 0) {
 			et_dyn_addr = ET_DYN_LOAD_ADDR;
-		else
+#ifdef PAX_ASLR
+			pax_aslr_exec(&et_dyn_addr);
+#endif
+		} else
 			et_dyn_addr = 0;
 	} else
 		et_dyn_addr = 0;
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c	(revision 260205)
+++ sys/kern/kern_exec.c	(working copy)
@@ -32,6 +32,7 @@
 #include "opt_kdtrace.h"
 #include "opt_ktrace.h"
 #include "opt_vm.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/capability.h>
@@ -52,6 +53,7 @@
 #include <sys/imgact_elf.h>
 #include <sys/wait.h>
 #include <sys/malloc.h>
+#include <sys/pax.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/pioctl.h>
@@ -1262,6 +1264,10 @@
 	    roundup(szps, sizeof(char *)) -
 	    roundup((ARG_MAX - imgp->args->stringspace), sizeof(char *));
 
+#ifdef PAX_ASLR
+	pax_aslr_stack(curthread, &destp);
+#endif
+
 	/*
 	 * install sigcode
 	 */
Index: sys/kern/kern_pax.c
===================================================================
--- sys/kern/kern_pax.c	(revision 0)
+++ sys/kern/kern_pax.c	(working copy)
@@ -0,0 +1,80 @@
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_pax.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/proc.h>
+#include <sys/sysctl.h>
+#include <sys/pax.h>
+#include <sys/sysent.h>
+#include <sys/stat.h>
+#include <sys/libkern.h>
+#include <sys/mman.h>
+#include <sys/exec.h>
+
+#include <vm/pmap.h>
+#include <vm/vm_map.h>
+#include <vm/vm_extern.h>
+
+int pax_aslr_enabled = 0;
+
+SYSCTL_NODE(_security, OID_AUTO, pax, CTLFLAG_RD, 0,
+		"PaX (exploit mitigation) features.");
+SYSCTL_NODE(_security_pax, OID_AUTO, aslr, CTLFLAG_RD, 0,
+		"Address Space Layout Randomization.");
+SYSCTL_INT(_security_pax_aslr, OID_AUTO, enabled, CTLFLAG_RW,
+		&pax_aslr_enabled, 0, "Restrictions enabled.");
+
+
+/* Check if ASLR is active */
+bool
+pax_aslr_active(struct thread *td) {
+
+	if(pax_aslr_enabled) {
+		return true;
+	}
+
+	return false;
+}
+
+void
+pax_aslr_mmap(struct thread *td, vm_offset_t *addr, int flags) {
+
+	if(!pax_aslr_enabled)
+		return;
+
+	if(!(flags & MAP_FIXED) && ((*addr == 0) || !(flags & MAP_ANON))) {
+
+		*addr += PAX_ASLR_DELTA(arc4random(),
+				PAX_ASLR_DELTA_MMAP_LSB,
+				PAX_ASLR_DELTA_MMAP_LEN);
+	}
+}
+
+void
+pax_aslr_exec(vm_offset_t *addr) {
+
+	if(!pax_aslr_enabled)
+		return;
+
+	*addr += PAX_ASLR_DELTA(arc4random(),
+			PAX_ASLR_DELTA_EXEC_LSB,
+			PAX_ASLR_DELTA_EXEC_LEN);
+
+}
+
+void
+pax_aslr_stack(struct thread *td, char **addr) {
+
+	if(!pax_aslr_enabled)
+		return;
+
+	*addr += PAX_ASLR_DELTA(arc4random(),
+			PAX_ASLR_DELTA_STACK_LSB,
+			PAX_ASLR_DELTA_STACK_LEN);
+	*addr = (char *) ALIGN(*addr);
+
+}

Property changes on: sys/kern/kern_pax.c
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+FreeBSD=%H
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Index: sys/sys/pax.h
===================================================================
--- sys/sys/pax.h	(revision 0)
+++ sys/sys/pax.h	(working copy)
@@ -0,0 +1,23 @@
+#ifndef _PAX_H_
+#define _PAX_H_
+
+#include <sys/proc.h>
+
+#define PAX_ASLR_DELTA_MMAP_LSB	PAGE_SHIFT
+#define PAX_ASLR_DELTA_MMAP_LEN	((sizeof(void *) * NBBY) / 2) /* NBBY: number of bits in a byte */
+
+#define PAX_ASLR_DELTA_STACK_LSB	0
+#define PAX_ASLR_DELTA_STACK_LEN	12
+
+#define PAX_ASLR_DELTA_EXEC_LSB	PAGE_SHIFT
+#define PAX_ASLR_DELTA_EXEC_LEN	12
+
+#define PAX_ASLR_DELTA(delta, lsb, len) \
+	(((delta) & ((1UL << (len)) - 1)) << (lsb))
+
+bool pax_aslr_active(struct thread *);
+void pax_aslr_mmap(struct thread *, vm_offset_t *, int);
+void pax_aslr_stack(struct thread *, char **);
+void pax_aslr_exec(vm_offset_t *);
+
+#endif // _PAX_H_

Property changes on: sys/sys/pax.h
___________________________________________________________________
Added: svn:keywords
## -0,0 +1 ##
+FreeBSD=%H
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: sys/vm/vm_mmap.c
===================================================================
--- sys/vm/vm_mmap.c	(revision 260205)
+++ sys/vm/vm_mmap.c	(working copy)
@@ -45,6 +45,7 @@
 
 #include "opt_compat.h"
 #include "opt_hwpmc_hooks.h"
+#include "opt_pax.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -54,6 +55,7 @@
 #include <sys/mutex.h>
 #include <sys/sysproto.h>
 #include <sys/filedesc.h>
+#include <sys/pax.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/procctl.h>
@@ -414,6 +416,9 @@
 map:
 	td->td_fpop = fp;
 	maxprot &= cap_maxprot;
+#ifdef PAX_ASLR
+	pax_aslr_mmap(td, &addr, flags);
+#endif
 	error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot,
 	    flags, handle_type, handle, pos);
 	td->td_fpop = NULL;