NX-emulation ASLR is predictable
On 32bit non-PAE systems, the NX-emulation patch causes shared library and executable ASLR to become predictable due to moving the ranges up into the "ASCII Armor" area prefixed with a high byte of "0". This has been observed multiple times. Some discussion is here: http://<email address hidden>
Trivial demonstration (from http://<email address hidden>
$ for i in $(seq 1 1000); do cat /proc/self/maps | grep 'x.*/lib/.*libc'; done | sort | uniq -c | sort -n
...[768 lines of differing addresses]...
3 00de3000-00f36000 r-xp 00000000 fb:01 130850
174 00110000-00263000 r-xp 00000000 fb:01 130850