[FUZZ] Beaconfuzz_v2 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 in attestation

Question

[FUZZ] Beaconfuzz_v2 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 in attestation

Daft-Wullie opened this issue 4 years ago · comments

Daft-Wullie commented 4 years ago

I've done and provided the following:

Checked to see if any other [FUZZ] issue already refers to that crasher
Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
Noted the beacon-fuzz version or commit used.
Provided crash output
Noted the command or fuzzer used to generate the crash
Name of the original crash file
(Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

Command run: e.g. make fuzz_attestation-struct
Crasher file name: crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703.zip
Client exercised: N/A
Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
  left: `true`,
 right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==50522== ERROR: libFuzzer: fuzz target exited
    #0 0x560d16bd0901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8f901)
    #1 0x560d1903ac40  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2ff9c40)
    #2 0x560d1904f9ab  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300e9ab)
    #3 0x7fbcd1916a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fbcd1916bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x560d16e0609c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xdc509c)
    #6 0x7fbcd191320f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fbcd191318a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fbcd18f2858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x560d19101826  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30c0826)
    #10 0x560d190eab15  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30a9b15)
    #11 0x560d1902e186  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed186)
    #12 0x560d190f1d57  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0d57)
    #13 0x560d190f1908  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0908)
    #14 0x560d190ecdeb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30abdeb)
    #15 0x560d190f18c8  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b08c8)
    #16 0x560d190f187a  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b087a)
    #17 0x560d16ce60d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xca50d7)
    #18 0x560d16c7ae20  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc39e20)
    #19 0x560d1902e1b0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed1b0)
    #20 0x560d1902de0f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fece0f)
    #21 0x560d1904fe0c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300ee0c)
    #22 0x560d19057fc0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3016fc0)
    #23 0x560d1905897c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x301797c)
    #24 0x560d1905ad7f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3019d7f)
    #25 0x560d1902c359  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2feb359)
    #26 0x560d16b4d4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c4b6)
    #27 0x7fbcd18f40b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #28 0x560d16b4d65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 1 ChangeBit-; base unit: cdff3762ea86eff7b43bc28dc652fea4c759d950
0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8f,0xfe,0xfe,0xfe,0xfe,
\x02\x00\x00\x00\x00\x00\x00\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xfe\xfe\xfe\xfe
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Base64: AgAAAAAAAAADAQAAAAAAAAAAAQAAAAAAAAAAj/7+/v4=

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Output of `std::fmt::Debug`:

        Attestation {
            aggregation_bits: Bitfield {
                bytes: [
                    3,
                ],
                len: 8,
                _phantom: PhantomData,
            },
            data: AttestationData {
                slot: Slot(0),
                index: 1,
                beacon_block_root: 0x008ffefefefe0000000000000000000000000000000000000000000000000000,
                source: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                target: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Minimize test case with:

        cargo fuzz tmin struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703


────────────────────────────────────────────────────────────────────────────────

re ran crashing input with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 and got:

    Finished release [optimized] target(s) in 0.33s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/ fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703`
INFO: Seed: 2679127849
INFO: Loaded 1 modules   (202179 inline 8-bit counters): 202179 [0x56389d815461, 0x56389d846a24),
INFO: Loaded 1 PC tables (202179 PCs): 202179 [0x56389d846a28,0x56389db5c658),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/attestation.rs:61:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==56664== ERROR: libFuzzer: fuzz target exited
    #0 0x56389a194901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc0e901)
    #1 0x56389c650970  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30ca970)
    #2 0x56389c6656db  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30df6db)
    #3 0x7fa71f9eca26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fa71f9ecbdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x56389a3d417c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xe4e17c)
    #6 0x7fa71f9e920f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fa71f9e918a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fa71f9c8858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x56389c717806  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3191806)
    #10 0x56389c700af5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317aaf5)
    #11 0x56389c643eb6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdeb6)
    #12 0x56389c707d37  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181d37)
    #13 0x56389a4874d4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf014d4)
    #14 0x56389a487079  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01079)
    #15 0x56389a487374  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01374)
    #16 0x56389a48ce5b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf06e5b)
    #17 0x56389a4916dc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf0b6dc)
    #18 0x56389a2ae0da  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xd280da)
    #19 0x56389a242e6e  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xcbce6e)
    #20 0x56389c643ee0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdee0)
    #21 0x56389c643b3f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdb3f)
    #22 0x56389c665b3c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30dfb3c)
    #23 0x56389c636c49  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0c49)
    #24 0x56389c640a42  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30baa42)
    #25 0x56389a1114b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b4b6)
    #26 0x7fa71f9ca0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x56389a11165d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b65d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

Fuzzer ran: beaconfuzz_v2
Version/Commit used: 9404192
Operating System and version: Ubuntu 20.04

Patrick Ventuzelo · Answer 1 · Thu Oct 08 2020 16:08:26 GMT+0800 (China Standard Time)

For analysis, here is a package with:

attestation.ssz  beacon.ssz  output_beaconfuzz_debug.txt  prysm_post.ssz

issue_78_attestation.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz attestation.ssz attestation

FYI,

lighthouse reject this voluntaryexit processing with the error:
AttestationInvalid { index: 0, reason: BadCommitteeIndex }
prysm accept the voluntaryexit processing
nimbus reject the voluntaryexit processing

Mehdi Zerouali · Answer 2 · Wed Oct 21 2020 14:06:31 GMT+0800 (China Standard Time)

I believe this should have been resolved by the Prysm team in this PR. @pventuzelo could you please rebuild the libpfuzz library and see if we can reproduce?

Patrick Ventuzelo · Answer 3 · Tue Oct 27 2020 21:03:11 GMT+0800 (China Standard Time)

@zedt3ster Even with the last version I got the same issue

Preston Van Loon · Answer 4 · Tue Nov 03 2020 02:09:04 GMT+0800 (China Standard Time)

This issue was fixed in Prysm and released today in beta.1. Thanks!

Mehdi Zerouali · Answer 5 · Tue Nov 03 2020 10:38:32 GMT+0800 (China Standard Time)

Confirmed this is a valid bug, see this PR for more details. Thanks @Daft-Wullie for reporting!