Use of userspace capability as kernel capability in hybrid compatibility layer for syscall getfhat

[RoundofThree]

• Type: User provided capability passed to functions meant for copying data between kernel memory locations, causing panic (due to PAN?)
• Trigger Conditions: For a jail, prison_check_nfsd in the kernel has to return true, which means allow.nfsd must be set, plus a few more conditions in the comment above the function. This feels like a rare usecase. Trigger code must run in hybrid mode.
• Impact: Local DoS on CheriBSD only.
• Root cause:
  freebsd64_getfhat calls kern_getfhat with UIO_SYSSPACE as 5th argument. This makes kern_getfhat treat the 4th argument coming from userspace as a kernel capability.

Tagging @YiChenChai.