From 35d6724310c2672940dc18ea5049dd5ba6c587d8 Mon Sep 17 00:00:00 2001
From: Patrick Daly <pdaly@codeaurora.org>
Date: Mon, 16 May 2016 19:36:57 -0700
Subject: [PATCH] ion: system_secure_heap: Add additional argument verification
 for ioctl

Impose maximum array sizes on the data for ION_IOCTL_PREFETCH. This
simplifies detection of erroneous requests from userspace.

Change-Id: I1a0ec8d264337b76b55242f8d593258624855ad8
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
---
 drivers/staging/android/ion/ion_system_secure_heap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ion/ion_system_secure_heap.c b/drivers/staging/android/ion/ion_system_secure_heap.c
index d519a0937a9f..489c84a39dde 100644
--- a/drivers/staging/android/ion/ion_system_secure_heap.c
+++ b/drivers/staging/android/ion/ion_system_secure_heap.c
@@ -202,6 +202,9 @@ static int alloc_prefetch_info(
 	if (!is_secure_vmid_valid(get_secure_vmid(vmid)))
 		return -EINVAL;
 
+	if (nr_sizes > 0x10)
+		return -EINVAL;
+
 	for (i = 0; i < nr_sizes; i++) {
 		info = kzalloc(sizeof(*info), GFP_KERNEL);
 		if (!info)
@@ -235,6 +238,9 @@ int ion_system_secure_heap_prefetch(struct ion_heap *heap, void *ptr)
 	if ((int)heap->type != ION_HEAP_TYPE_SYSTEM_SECURE)
 		return -EINVAL;
 
+	if (data->nr_regions > 0x10)
+		return -EINVAL;
+
 	for (i = 0; i < data->nr_regions; i++) {
 		ret = alloc_prefetch_info(&data->regions[i], &items);
 		if (ret)