Index: src/sys/vm/vm_mmap.c
===================================================================
--- src/sys/vm/vm_mmap.c	(revision 171)
+++ src/sys/vm/vm_mmap.c	(working copy)
@@ -88,6 +88,10 @@
 static int max_proc_mmap;
 SYSCTL_INT(_vm, OID_AUTO, max_proc_mmap, CTLFLAG_RW, &max_proc_mmap, 0, "");
 
+static int mmap_random = 1;
+SYSCTL_INT(_vm, OID_AUTO, mmap_random, CTLFLAG_RW, &mmap_random, 0,
+    "random mmap offset");
+
 /*
  * Set the maximum number of vm_map_entry structures per process.  Roughly
  * speaking vm_map_entry structures are tiny, so allowing them to eat 1/100
@@ -266,7 +270,8 @@
 	/*
 	 * XXX for non-fixed mappings where no hint is provided or
 	 * the hint would fall in the potential heap space,
-	 * place it after the end of the largest possible heap.
+	 * place it after the end of the largest possible heap,
+	 * plus a random offset, if mmap_random is set.
 	 *
 	 * There should really be a pmap call to determine a reasonable
 	 * location.
@@ -275,9 +280,12 @@
 		if (addr == 0 ||
 		    (addr >= round_page((vm_offset_t)vms->vm_taddr) &&
 		    addr < round_page((vm_offset_t)vms->vm_daddr +
-		    lim_max(td->td_proc, RLIMIT_DATA))))
+		    lim_max(td->td_proc, RLIMIT_DATA)))) {
 			addr = round_page((vm_offset_t)vms->vm_daddr +
 			    lim_max(td->td_proc, RLIMIT_DATA));
+			if (mmap_random)
+				addr += arc4random() & (256 * 1024 * 1024 - 1);
+		}
 		PROC_UNLOCK(td->td_proc);
 	}
 	if (flags & MAP_ANON) {