[FUZZ] Beaconfuzz_v2 crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95 in struct_voluntary_exit

Question

[FUZZ] Beaconfuzz_v2 crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95 in struct_voluntary_exit

Daft-Wullie opened this issue 4 years ago · comments

Daft-Wullie commented 4 years ago

I've identified a fuzzer crash and am contributing to the security of Ethereum 2!

I've done and provided the following:

Checked to see if any other [FUZZ] issue already refers to that crasher
Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
Noted the beacon-fuzz version or commit used.
Provided crash output
Noted the command or fuzzer used to generate the crash
Name of the original crash file
(Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

Command run: e.g. make fuzz_voluntary_exit-struct
Crasher file name: crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95.zip
Beaconstate to replicate: 4931bbe36f820db3e798e9b06c52e1b2.ssz (i think, not sure as i had multiple PIDs,wasn't monitoring closely)
Client exercised: prysm(?)
Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

Slowest unit: 20 s:
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/slow-unit-1614bb477c022cfcc7607c32a20d270b09071d85
Base64: CgoKCgoEAADfAAAAAAAAAA==
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/voluntary_exit.rs:57:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==29109== ERROR: libFuzzer: fuzz target exited
    #0 0x5623c6802901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb8d901)
    #1 0x5623c8c636c0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fee6c0)
    #2 0x5623c8c7842b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300342b)
    #3 0x7f87ffb54a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f87ffb54bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x5623c6a2ea7c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xdb9a7c)
    #6 0x7f87ffb5120f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f87ffb5118a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f87ffb30858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x5623c8d2a2a6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b52a6)
    #10 0x5623c8d13595  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x309e595)
    #11 0x5623c8c56c06  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe1c06)
    #12 0x5623c8d1a7d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30a57d7)
    #13 0x5623c6ae1dd4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6cdd4)
    #14 0x5623c6ae1979  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6c979)
    #15 0x5623c6ae1c74  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6cc74)
    #16 0x5623c6aeb899  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe76899)
    #17 0x5623c6aec2bc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe772bc)
    #18 0x5623c691e28d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xca928d)
    #19 0x5623c68a3863  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xc2e863)
    #20 0x5623c8c56c30  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe1c30)
    #21 0x5623c8c5688f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe188f)
    #22 0x5623c8c7888c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300388c)
    #23 0x5623c8c80a40  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300ba40)
    #24 0x5623c8c81c1b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300cc1b)
    #25 0x5623c8c8368c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300e68c)
    #26 0x5623c8c54dd9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fdfdd9)
    #27 0x5623c677f4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb0a4b6)
    #28 0x7f87ffb320b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #29 0x5623c677f65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb0a65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x61,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00a\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
Base64: AAAAAAAAAABhAAAAAAAAAA==

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95

Output of `std::fmt::Debug`:

        SignedVoluntaryExit {
            message: VoluntaryExit {
                epoch: Epoch(0),
                validator_index: 97,
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95

Minimize test case with:

        cargo fuzz tmin struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95


────────────────────────────────────────────────────────────────────────────────

re run crasher file with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
and got:

    Finished release [optimized] target(s) in 0.45s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/ fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95`
INFO: Seed: 235623633
INFO: Loaded 1 modules   (201876 inline 8-bit counters): 201876 [0x55dc2b819461, 0x55dc2b84a8f5),
INFO: Loaded 1 PC tables (201876 PCs): 201876 [0x55dc2b84a8f8,0x55dc2bb5f238),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/voluntary_exit.rs:57:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==32717== ERROR: libFuzzer: fuzz target exited
    #0 0x55dc281a3901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xc0b901)
    #1 0x55dc2a655e70  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30bde70)
    #2 0x55dc2a66abdb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30d2bdb)
    #3 0x7f310e25aa26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f310e25abdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x55dc283d95ac  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe415ac)
    #6 0x7f310e25720f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f310e25718a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f310e236858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x55dc2a71cd06  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x3184d06)
    #10 0x55dc2a705ff5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x316dff5)
    #11 0x55dc2a6493b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b13b6)
    #12 0x55dc2a70d237  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x3175237)
    #13 0x55dc2848c914  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef4914)
    #14 0x55dc2848c4b9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef44b9)
    #15 0x55dc2848c7b4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef47b4)
    #16 0x55dc284963d9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xefe3d9)
    #17 0x55dc28496dfc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xefedfc)
    #18 0x55dc282c47dd  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xd2c7dd)
    #19 0x55dc28248326  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xcb0326)
    #20 0x55dc2a6493e0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b13e0)
    #21 0x55dc2a64903f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b103f)
    #22 0x55dc2a66b03c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30d303c)
    #23 0x55dc2a63c149  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30a4149)
    #24 0x55dc2a645f42  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30adf42)
    #25 0x55dc281204b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb884b6)
    #26 0x7f310e2380b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x55dc2812065d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb8865d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

Fuzzer ran:
Version/Commit used:
Operating System and version:

Patrick Ventuzelo · Answer 1 · Thu Oct 08 2020 16:00:56 GMT+0800 (China Standard Time)

For analysis, here is a package with:

beacon_0298.ssz
nimbus_and_prysm_post.ssz
output_beaconfuzz_debug.txt
voluntary_exit.ssz

issue_84_voluntary_exit.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon_0298.ssz voluntary_exit.ssz voluntaryexit

FYI,

lighthouse reject this voluntaryexit processing with the error: BeaconStateError(CommitteeCacheUninitialized(Some(Current)))
prysm accept the voluntaryexit processing
nimbus accept the voluntaryexit processing

This look more like a bug into the fuzzer itself than a bug in lighthouse.
@zedt3ster @gnattishness , Can you confirm this line should not be commented ?
https://github.com/sigp/beacon-fuzz/blob/master/beaconfuzz_v2/libs/lighthouse/src/voluntary_exit.rs#L16

Mehdi Zerouali · Answer 2 · Thu Oct 08 2020 16:03:54 GMT+0800 (China Standard Time)

Yup that's correct. We need to build the committee cache every epoch.

Patrick Ventuzelo · Answer 3 · Thu Oct 08 2020 16:16:28 GMT+0800 (China Standard Time)

fixed with: a99115b

new beaconfuzz output:

[LIGHTHOUSE] SSZ decoding true
[LIGHTHOUSE] Ok(())
[LIGHTHOUSE] Processing true
[PRYSM] Processing true
[NIMBUS] Processing true