On Wed, Jan 14, 2015 at 3:44 PM, Mathias Svensson wrote: > Calls to malloc or mmap seems to be chosen randomly among 2 ** 20 > pages placed at a constant offset above the base of the binary. > While none of these numbers are great (25 bits to base address with > no knowledge, 20 bits if knowing another pointer), they are not > particularly bad either.
I seem to have missed the fact that you can infer more about the base address, because of its ridiculous alignment requirements. This expression gives me that base of the PIE-binary with probability 1/4096 on my system: (((uint64_t) mmap_ptr) & ~0xfffff) - 0x280000000
