feat: miner: max prove commit sector batch size

actors/miner/src/lib.rs

@@ -1787,7 +1787,7 @@ impl Actor {
                     params.sector_proofs.len()
                 ));
             }
-            validate_seal_proofs(precommits[0].info.seal_proof, &params.sector_proofs)?;
+            validate_seal_proofs(precommits[0].info.seal_proof, &params.sector_proofs, policy)?;
         } else {
             if params.aggregate_proof_type != Some(RegisteredAggregateProof::SnarkPackV2) {
                 return Err(actor_error!(
@@ -1960,6 +1960,7 @@ impl Actor {
         // Validate caller and parameters.
         let st: State = rt.state()?;
         let store = rt.store();
+        let policy = rt.policy();
         // Note: this accepts any caller for legacy, but probably shouldn't.
         // Since the miner can provide arbitrary control addresses, there's not much advantage
         // in allowing any caller, but some risk if there's an exploitable bug.
@@ -1977,7 +1978,7 @@ impl Actor {
                 actor_error!(not_found, "no pre-commited sector {}", params.sector_number)
             })?;
 
-        validate_seal_proofs(precommit.info.seal_proof, &[params.proof.clone()])?;
+        validate_seal_proofs(precommit.info.seal_proof, &[params.proof.clone()], policy)?;
 
         let allow_deals = true; // Legacy onboarding entry points allow pre-committed deals.
         let all_or_nothing = true; // The singleton must succeed.
@@ -4766,7 +4767,16 @@ fn validate_precommits(
 fn validate_seal_proofs(
     seal_proof_type: RegisteredSealProof,
     proofs: &[RawBytes],
+    policy: &Policy,
 ) -> Result<(), ActorError> {
+    if proofs.len() > policy.prove_commit_sector_batch_max_size {
+        return Err(actor_error!(
+            illegal_argument,
+            "batch of {} too large, max {}",
+            proofs.len(),
+            policy.prove_commit_sector_batch_max_size
+        ));
+    }
     let max_proof_size =
         seal_proof_type.proof_size().with_context_code(ExitCode::USR_ILLEGAL_STATE, || {
             format!("failed to determine max proof size for type {:?}", seal_proof_type,)

runtime/src/runtime/policy.rs

@@ -24,6 +24,8 @@ pub struct Policy {
     pub pre_commit_sector_batch_max_size: usize,
     /// The maximum number of sector replica updates in a single batch.
     pub prove_replica_updates_max_size: usize,
+    /// The maximum number of sector prove commits in a single batch.
+    pub prove_commit_sector_batch_max_size: usize,
 
     /// The delay between pre commit expiration and clean up from state. This enforces that expired pre-commits
     /// stay in state for a period of time creating a grace period during which a late-running aggregated prove-commit
@@ -165,6 +167,8 @@ impl Default for Policy {
             max_replica_update_proof_size: policy_constants::MAX_REPLICA_UPDATE_PROOF_SIZE,
             pre_commit_sector_batch_max_size: policy_constants::PRE_COMMIT_SECTOR_BATCH_MAX_SIZE,
             prove_replica_updates_max_size: policy_constants::PROVE_REPLICA_UPDATES_MAX_SIZE,
+            prove_commit_sector_batch_max_size:
+                policy_constants::PROVE_COMMIT_SECTOR_BATCH_MAX_SIZE,
             expired_pre_commit_clean_up_delay: policy_constants::EXPIRED_PRE_COMMIT_CLEAN_UP_DELAY,
             wpost_proving_period: policy_constants::WPOST_PROVING_PERIOD,
             wpost_challenge_window: policy_constants::WPOST_CHALLENGE_WINDOW,
@@ -244,6 +248,9 @@ pub mod policy_constants {
     // Same as PRE_COMMIT_SECTOR_BATCH_MAX_SIZE for consistency.
     pub const PROVE_REPLICA_UPDATES_MAX_SIZE: usize = PRE_COMMIT_SECTOR_BATCH_MAX_SIZE;
 
+    // Same as PRE_COMMIT_SECTOR_BATCH_MAX_SIZE for consistency.
+    pub const PROVE_COMMIT_SECTOR_BATCH_MAX_SIZE: usize = PRE_COMMIT_SECTOR_BATCH_MAX_SIZE;
+
     pub const EXPIRED_PRE_COMMIT_CLEAN_UP_DELAY: i64 = 8 * EPOCHS_IN_HOUR;
 
     pub const WPOST_PROVING_PERIOD: ChainEpoch = EPOCHS_IN_DAY;