User-space address at 0xfff<something>

I'm debugging a simple program on gdb, and I see addresses for local variables inside the stack frame that look like the following -- 0xffffbc10, 0xffffc340, etc.

It was my understanding that kernel-space addresses take up 0xffffffff to 0xcfffffff, and that user-space addresses start at 0xbfffffff.

Why the discrepancy here?

Edit: Note that I have turned off virtual address space randomization, stack protectors, and am compiling with -m32. Here is my compile command if it helps:

gcc -m32 -z execstack -fno-stack-protector -ggdb -static test.c -o test

If you're running a 32-bit program on a 64-bit host (and 64-bit kernel), the entire 32-bit address space is usually available to the application. In principle this is also possible on a 32-bit kernel, but Linux and (all?) other major kernels reserve part of the virtual address space to make switching between user and kernel mode more efficient.

The assumption that a 32-bit program only has a 3GB virtual address space is not valid, but since some legacy programs incorrectly assume this, the Linux "personality" system lets you run them with emulation of this behavior. It can be accessed via the setarch command's -3 option.