bhyve/nvme: Fix Infinite loop in queue processing
In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.
An attacker could overload the host CPU.
Fix is to validate that doorbell values:
- Are for a valid (i.e., created) queue
- Are not the same as the previous value
- Fit within the available capacity
The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.
While in the neighborhood, remove a redundant bounds check.
Reported by: Synacktiv
MFC after: 1 week
Security: HYP-14
Security: FreeBSD-SA-24:17.bhyve
Approved by: so
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46064
(cherry picked from commit 5374b9e146811757540e35553a7712c5b9b29239)
(cherry picked from commit 86ba5941b132c73476a2a1b76ae53902a027b81c)
(cherry picked from commit df1a36fdfae603ce298b8396ae3388d337c3c5b3)