Problem Description:
When the JAIL_AT_DESC flag is specified, kern_jail_set() and
kern_jail_get() released the reference to the caller's current
prison before looking up the jail descriptor. If the descriptor
lookup failed, error-handling paths released the same reference a
second time.
Impact:
An unprivileged local user can trigger a prison reference count
underflow, which may cause the prison structure to be freed while
still in use. When this is done on the jail host, the bug will
generally result in an immediate panic. However, if the user is
running in a jail, then it may be possible to exploit the bug to
elevate privileges.