nThe
randomizations applied to each memory region are independent of each other
nBecause PaX
guarantees no arbitrary code execution, exploits will most likely need to access different memory regions.
nSo, if the
exploit needs access to libraries and the stack, the bits that must be guessed are the sum of the two regions: 40 bits (or 44). The chance of such an attack succeeding while depending on hard coded addresses is effectively zero.