[FUZZ] Beaconfuzz_v2 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 in attestation
Daft-Wullie opened this issue · comments
I've done and provided the following:
- Checked to see if any other
[FUZZ]
issue already refers to that crasher - Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
- Noted the
beacon-fuzz
version or commit used. - Provided crash output
- Noted the command or fuzzer used to generate the crash
- Name of the original crash file
- (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.
Info to Reproduce
-
Command run: e.g.
make fuzz_attestation-struct
-
Crasher file name: crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703.zip -
Client exercised: N/A
-
Fuzzing engine used (if applicable): libfuzzer
Crash output and stacktrace
thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
left: `true`,
right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==50522== ERROR: libFuzzer: fuzz target exited
#0 0x560d16bd0901 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8f901)
#1 0x560d1903ac40 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2ff9c40)
#2 0x560d1904f9ab (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300e9ab)
#3 0x7fbcd1916a26 (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
#4 0x7fbcd1916bdf (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
#5 0x560d16e0609c (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xdc509c)
#6 0x7fbcd191320f (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
#7 0x7fbcd191318a (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
#8 0x7fbcd18f2858 (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
#9 0x560d19101826 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30c0826)
#10 0x560d190eab15 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30a9b15)
#11 0x560d1902e186 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed186)
#12 0x560d190f1d57 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0d57)
#13 0x560d190f1908 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0908)
#14 0x560d190ecdeb (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30abdeb)
#15 0x560d190f18c8 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b08c8)
#16 0x560d190f187a (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b087a)
#17 0x560d16ce60d7 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xca50d7)
#18 0x560d16c7ae20 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc39e20)
#19 0x560d1902e1b0 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed1b0)
#20 0x560d1902de0f (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fece0f)
#21 0x560d1904fe0c (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300ee0c)
#22 0x560d19057fc0 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3016fc0)
#23 0x560d1905897c (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x301797c)
#24 0x560d1905ad7f (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3019d7f)
#25 0x560d1902c359 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2feb359)
#26 0x560d16b4d4b6 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c4b6)
#27 0x7fbcd18f40b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#28 0x560d16b4d65d (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c65d)
SUMMARY: libFuzzer: fuzz target exited
MS: 1 ChangeBit-; base unit: cdff3762ea86eff7b43bc28dc652fea4c759d950
0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8f,0xfe,0xfe,0xfe,0xfe,
\x02\x00\x00\x00\x00\x00\x00\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xfe\xfe\xfe\xfe
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Base64: AgAAAAAAAAADAQAAAAAAAAAAAQAAAAAAAAAAj/7+/v4=
────────────────────────────────────────────────────────────────────────────────
Failing input:
fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Output of `std::fmt::Debug`:
Attestation {
aggregation_bits: Bitfield {
bytes: [
3,
],
len: 8,
_phantom: PhantomData,
},
data: AttestationData {
slot: Slot(0),
index: 1,
beacon_block_root: 0x008ffefefefe0000000000000000000000000000000000000000000000000000,
source: Checkpoint {
epoch: Epoch(0),
root: 0x0000000000000000000000000000000000000000000000000000000000000000,
},
target: Checkpoint {
epoch: Epoch(0),
root: 0x0000000000000000000000000000000000000000000000000000000000000000,
},
},
signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
}
Reproduce with:
cargo fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Minimize test case with:
cargo fuzz tmin struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
────────────────────────────────────────────────────────────────────────────────
re ran crashing input with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
and got:
Finished release [optimized] target(s) in 0.33s
Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/ fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703`
INFO: Seed: 2679127849
INFO: Loaded 1 modules (202179 inline 8-bit counters): 202179 [0x56389d815461, 0x56389d846a24),
INFO: Loaded 1 PC tables (202179 PCs): 202179 [0x56389d846a28,0x56389db5c658),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Could not get rough time result: no reply prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/attestation.rs:61:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==56664== ERROR: libFuzzer: fuzz target exited
#0 0x56389a194901 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc0e901)
#1 0x56389c650970 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30ca970)
#2 0x56389c6656db (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30df6db)
#3 0x7fa71f9eca26 (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
#4 0x7fa71f9ecbdf (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
#5 0x56389a3d417c (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xe4e17c)
#6 0x7fa71f9e920f (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
#7 0x7fa71f9e918a (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
#8 0x7fa71f9c8858 (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
#9 0x56389c717806 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3191806)
#10 0x56389c700af5 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317aaf5)
#11 0x56389c643eb6 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdeb6)
#12 0x56389c707d37 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181d37)
#13 0x56389a4874d4 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf014d4)
#14 0x56389a487079 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01079)
#15 0x56389a487374 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01374)
#16 0x56389a48ce5b (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf06e5b)
#17 0x56389a4916dc (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf0b6dc)
#18 0x56389a2ae0da (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xd280da)
#19 0x56389a242e6e (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xcbce6e)
#20 0x56389c643ee0 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdee0)
#21 0x56389c643b3f (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdb3f)
#22 0x56389c665b3c (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30dfb3c)
#23 0x56389c636c49 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0c49)
#24 0x56389c640a42 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30baa42)
#25 0x56389a1114b6 (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b4b6)
#26 0x7fa71f9ca0b2 (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#27 0x56389a11165d (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b65d)
SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────
Error: Fuzz target exited with exit code: 77
Your Environment
- Fuzzer ran: beaconfuzz_v2
- Version/Commit used: 9404192
- Operating System and version: Ubuntu 20.04
For analysis, here is a package with:
attestation.ssz beacon.ssz output_beaconfuzz_debug.txt prysm_post.ssz
You can reproduce with:
../beaconfuzz_v2 debug beacon.ssz attestation.ssz attestation
FYI,
- lighthouse reject this voluntaryexit processing with the error:
AttestationInvalid { index: 0, reason: BadCommitteeIndex }
- prysm accept the voluntaryexit processing
- nimbus reject the voluntaryexit processing
I believe this should have been resolved by the Prysm team in this PR. @pventuzelo could you please rebuild the libpfuzz library and see if we can reproduce?
@zedt3ster Even with the last version I got the same issue
This issue was fixed in Prysm and released today in beta.1. Thanks!
Confirmed this is a valid bug, see this PR for more details. Thanks @Daft-Wullie for reporting!