It's possible to access kernel memory because of inters conversion bug in 64bit file API (for example llseek).
vulners.com/securityvulns/securityvulns:doc:6577