bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler
The function tpm_ppi_mem_handler is vulnerable to buffer over-read and
over-write, the MMIO handler serves the heap allocated structure
tpm_ppi_qemu.
The issue is that the structure size is smaller than 0x1000 and the
handler does not validate the offset and size (sizeof is 0x15A while the
handler allows up to 0x1000 bytes)
Reported by: Synacktiv
Reviewed by: corvink
Security: FreeBSD-SA-24:10.bhyve
Security: CVE-2024-41928
Security: HYP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45980
(cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b)
(cherry picked from commit 6ce4821f0859eb00e1754917e1471184755b6358)
Approved by: so