> That's what I thought. The address your user-space program uses and the actual address in memory are two different things, aren't they?

Right. Userspace uses virtual addresses, which get mapped through page tables to become physical addresses. Some kernel addresses get identity-mapped (meaning that the virtual address matches the physical address), while some kernel addresses go through translation as well. (Specifically, on Linux, kmalloc allocates identity-mapped addresses, while vmalloc allocates virtual addresses; vmalloc allows you to have a large virtually contiguous buffer without requiring a large physically contiguous region of free memory.)

> Isn't this what enables the operating system to scramble the allocations it gives you to make it harder to implement a buffer-overflow attack?

You can do Address Space Layout Randomization (ASLR) for either virtual or physical address spaces; you want to do it for whatever type of address an attacker could otherwise make use of. Userspace processes can use ASLR for their virtual address space, so that attackers can't make use of fixed addresses. The Linux kernel doesn't normally map virtual pages to any particular well-known location in physical address space, either. The kernel can also use ASLR for some (though not all) of its own kernel-space addresses. Beyond that, recent versions of Linux also try to avoid exposing kernel-space addresses to non-root users.

Also note that ASLR doesn't generally introduce enough randomness in a 32-bit address space.