Skip to content

Wasm merge allocation bounds#1999

Draft
cursor[bot] wants to merge 1 commit intofeat/sync-wasm-merge-callbackfrom
cursor/wasm-merge-allocation-bounds-eee0
Draft

Wasm merge allocation bounds#1999
cursor[bot] wants to merge 1 commit intofeat/sync-wasm-merge-callbackfrom
cursor/wasm-merge-allocation-bounds-eee0

Conversation

@cursor
Copy link
Contributor

@cursor cursor bot commented Feb 14, 2026

Fix: Prevent unbounded WASM merge result allocation

Description

This PR fixes a high-severity security issue (bug_id: 100da2d4-924a-4cba-9cf1-fd5f790966de) where the read_from_wasm function in the merge callback could allocate an unbounded amount of memory based on untrusted lengths provided by WASM modules. This vulnerability could lead to a denial-of-service by allowing a malicious or buggy WASM module to trigger massive host memory allocations, potentially crashing the node during synchronization.

The fix introduces a MAX_WASM_MERGE_RESULT_LEN constant (10MB) and validates the requested allocation size against this limit before proceeding. If the requested length exceeds this maximum, a MergeError::WasmResultTooLarge error is returned, preventing excessive memory consumption.

Test plan

  • The project was successfully built (cargo build).
  • All existing unit and integration tests passed (cargo test).
  • Code formatting (cargo fmt --check) and linting (cargo clippy) checks were performed and passed.
  • No new end-to-end tests were added as this is an internal runtime stability fix. Reproduction would involve a crafted WASM module returning an oversized data_len or error_len to trigger the new WasmResultTooLarge error.

Documentation update

No public or internal documentation updates are required.

@cursoragent
fix(runtime): add bounds check for WASM merge result allocation
fbee8df 
Add MAX_MERGE_RESULT_SIZE constant (10 MiB) and validate data_len/error_len
in read_from_wasm() before allocating Vec<u8>. This protects against
denial-of-service attacks where a malicious or buggy WASM module returns
an extremely large length value, which would cause the host to allocate
excessive memory during sync.

The validation occurs before the allocation, ensuring that untrusted
length values from WASM guest code cannot exhaust host memory.
@cursor
Copy link
Contributor Author

cursor bot commented Feb 14, 2026

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@cursor cursor bot mentioned this pull request Feb 14, 2026
Open
@github-actions
Copy link

github-actions bot commented Feb 14, 2026

Your PR title does not adhere to the Conventional Commits convention:

<type>(<scope>): <subject>

Common errors to avoid:

  1. The title must be in lower case.
  2. Allowed type values are: build, ci, docs, feat, fix, perf, refactor, test.

meroreviewer[bot]
meroreviewer bot reviewed Feb 14, 2026
View reviewed changes
Copy link

@meroreviewer meroreviewer bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Code Reviewer

Reviewed by 3 agents | Quality score: 100% | Review time: 102.4s

🟡 1 warnings. See inline comments.

🤖 Generated by AI Code Reviewer | Review ID: review-cbd677e9

meroreviewer[bot]
meroreviewer bot reviewed Feb 14, 2026
View reviewed changes
crates/runtime/src/merge_callback.rs
///
/// Returns an error if:
/// - The length exceeds `MAX_MERGE_RESULT_SIZE` (protects against DoS)
/// - The memory read fails
Copy link

@meroreviewer meroreviewer bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Missing unit test for bounds validation

The new size validation is a critical defensive check but has no test coverage; a unit test verifying the error is returned when len > MAX_MERGE_RESULT_SIZE would prevent future regressions.

Suggested fix:

Add a test that calls `read_from_wasm` with a length exceeding `MAX_MERGE_RESULT_SIZE` and asserts the expected error is returned.

@github-actions
Copy link

github-actions bot commented Feb 22, 2026

This pull request has been automatically marked as stale. If this pull request is still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize reviewing it yet. Your contribution is very much appreciated.

@github-actions github-actions bot added the Stale label Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@meroreviewer meroreviewer[bot] meroreviewer[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent