fix: limit Vec::with_capacity in binary calldata decoder to prevent OOM#320
fix: limit Vec::with_capacity in binary calldata decoder to prevent OOM#320lau90eth wants to merge 2 commits into
Conversation
Fixes index-out-of-bounds panic when a malicious leader injects Bytes::new() as a nondet result. data[0] would panic if data is empty. Affected: executor/src/wasi/genlayer_sdk.rs ~L1305 PoC: https://github.com/lau90eth/genvm-nondet-panic
Adds MAX_ARRAY_CAPACITY guard before Vec::with_capacity(full_size) in the binary calldata decoder. Without this check, a malicious calldata packet with a large array size field causes OOM allocation. Affected: executor/crates/calldata/src/bin.rs:214 PoC: https://github.com/lau90eth/genvm-bin-oom
|
Warning Review limit reached
More reviews will be available in 55 minutes and 9 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
👋 This PR targeted
|
Summary
Adds a maximum capacity guard in the binary calldata decoder to prevent OOM allocation via malicious input.
Root Cause
In
executor/crates/calldata/src/bin.rs:214,Vec::with_capacity(full_size)is called wherefull_sizecomes directly from untrusted wire data with no upper bound check:A malicious calldata packet can set the array size field to a large value (e.g.
0xFFFFFFFF), causing the allocator to attempt a multi-GB allocation and crash the validator process.Impact
Validator OOM crash — consensus liveness compromised. Introduced in commit 699ec88 (
feat: add limit to calldata parsing) which rewrote the decoder inbin.rswithout carrying over the original bounds check fromde.rs.Fix
Added
MAX_ARRAY_CAPACITY = 1024 * 1024guard beforeVec::with_capacity, returning an error for oversized arrays.PoC
https://github.com/lau90eth/genvm-bin-oom
Related
Finding originally submitted to GenLayer Builders Program portal.