Rafal Wojtczuk from Bromium discovered that FreeBSD wasn"t handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users.