[FUZZ] Crash encountered in prysm_voluntary_exit

[Daft-Wullie]

I've identified a fuzzer crash and am contributing to the security of Ethereum 2!

I've done and provided the following:

• [x] Checked to see if any other [FUZZ] issue already refers to that crasher
• [x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• [x] Noted the beacon-fuzz version or commit used.
• [x] Provided crash output
• [x] Noted the command or fuzzer used to generate the crash
• [x] Name of the original crash file
• [ ] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. make prysm docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm continuously --filter prysm

• Crasher file name: crash-e1e5ad73574fcdfd44eae72b16ced5ec6574d5b6 crash-e1e5ad73574fcdfd44eae72b16ced5ec6574d5b6.zip

• Client exercised: Prysm

• Fuzzing engine used (if applicable): gofuzz

Crash output and stacktrace

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO[0000] New calculated roughtime offset is -30229979 ns  prefix=roughtime
beaconstate choosen:  /eth2fuzz/workspace/corpora/beaconstate/13a17ba2c1cbde2d2b9ad07bde20340c.ssz
INFO: seed corpus: files: 985 min: 1b max: 4096b total: 252730b rss: 59Mb
#986    INITED ft: 411 corp: 7/97b exec/s: 0 rss: 60Mb
#2178   NEW    ft: 435 corp: 8/113b exec/s: 0 rss: 62Mb L: 16/16 MS: 2 ChangeBinInt-ChangeBit-
#2199   NEW    ft: 444 corp: 9/129b exec/s: 0 rss: 62Mb L: 16/16 MS: 1 CopyPart-
#2355   NEW    ft: 445 corp: 10/145b exec/s: 0 rss: 62Mb L: 16/16 MS: 1 ChangeByte-
#5072   NEW    ft: 446 corp: 11/161b exec/s: 5072 rss: 63Mb L: 16/16 MS: 2 ChangeBinInt-ShuffleBytes-
#16384  pulse  ft: 446 corp: 11/161b exec/s: 8192 rss: 63Mb
#21106  NEW    ft: 462 corp: 12/190b exec/s: 10553 rss: 63Mb L: 29/29 MS: 3 ChangeBinInt-CrossOver-EraseBytes-
#21108  NEW    ft: 473 corp: 13/314b exec/s: 10554 rss: 63Mb L: 124/124 MS: 2 InsertRepeatedBytes-CMP- DE: "U\x08*t"-
#27937  NEW    ft: 484 corp: 14/330b exec/s: 9312 rss: 63Mb L: 16/124 MS: 4 CopyPart-ChangeBinInt-CopyPart-ShuffleBytes-
#28596  NEW    ft: 497 corp: 15/346b exec/s: 9532 rss: 63Mb L: 16/124 MS: 4 ChangeBinInt-PersAutoDict-ChangeBit-EraseBytes- DE: "U\x08*t"-
#29277  NEW    ft: 500 corp: 16/362b exec/s: 9759 rss: 63Mb L: 16/124 MS: 1 ChangeBit-
#32768  pulse  ft: 500 corp: 16/362b exec/s: 10922 rss: 63Mb
#51813  NEW    ft: 505 corp: 17/379b exec/s: 12953 rss: 63Mb L: 17/124 MS: 1 CopyPart-
#51899  NEW    ft: 516 corp: 18/462b exec/s: 10379 rss: 63Mb L: 83/124 MS: 1 InsertRepeatedBytes-
#51934  NEW    ft: 525 corp: 19/480b exec/s: 10386 rss: 63Mb L: 18/124 MS: 5 ShuffleBytes-ChangeBinInt-InsertByte-ChangeBinInt-CopyPart-
#65536  pulse  ft: 525 corp: 19/480b exec/s: 10922 rss: 63Mb
#80047  NEW    ft: 541 corp: 20/594b exec/s: 11435 rss: 63Mb L: 114/124 MS: 3 ChangeBinInt-InsertRepeatedBytes-ChangeBit-
#110314 NEW    ft: 548 corp: 21/614b exec/s: 12257 rss: 63Mb L: 20/124 MS: 2 ChangeBinInt-PersAutoDict- DE: "U\x08*t"-
#131072 pulse  ft: 548 corp: 21/614b exec/s: 11915 rss: 63Mb
#262144 pulse  ft: 548 corp: 21/614b exec/s: 11397 rss: 63Mb
#309095 NEW    ft: 552 corp: 22/630b exec/s: 11447 rss: 63Mb L: 16/124 MS: 1 ShuffleBytes-
#390236 NEW    ft: 554 corp: 23/648b exec/s: 11477 rss: 63Mb L: 18/124 MS: 1 ChangeByte-
#524288 pulse  ft: 554 corp: 23/648b exec/s: 11397 rss: 63Mb
#719512 NEW    ft: 557 corp: 24/664b exec/s: 11420 rss: 63Mb L: 16/124 MS: 1 PersAutoDict- DE: "U\x08*t"-
#1048576        pulse  ft: 557 corp: 24/664b exec/s: 11397 rss: 63Mb
#1232969        NEW    ft: 559 corp: 25/680b exec/s: 11416 rss: 63Mb L: 16/124 MS: 1 PersAutoDict- DE: "U\x08*t"-
#1248505        NEW    ft: 560 corp: 26/700b exec/s: 11350 rss: 63Mb L: 20/124 MS: 5 InsertByte-ChangeBinInt-InsertByte-CMP-ChangeByte- DE: "\x08\x00"-
#1603619        NEW    ft: 561 corp: 27/716b exec/s: 11536 rss: 63Mb L: 16/124 MS: 1 ChangeBit-
#1603915        NEW    ft: 577 corp: 28/842b exec/s: 11456 rss: 63Mb L: 126/126 MS: 1 CMP- DE: "\x01\x03"-
#1804492        NEW    ft: 578 corp: 29/858b exec/s: 11420 rss: 63Mb L: 16/126 MS: 1 ChangeByte-
#2097152        pulse  ft: 578 corp: 29/858b exec/s: 11459 rss: 63Mb
#2138198        NEW    ft: 585 corp: 30/874b exec/s: 11434 rss: 63Mb L: 16/126 MS: 1 ChangeBinInt-
#4000183        REDUCE ft: 585 corp: 30/840b exec/s: 11461 rss: 63Mb L: 90/126 MS: 5 EraseBytes-ChangeByte-ChangeBinInt-ChangeBinInt-PersAutoDict- DE: "\x01\x03"-
#4091614        REDUCE ft: 585 corp: 30/830b exec/s: 11461 rss: 63Mb L: 10/126 MS: 1 EraseBytes-
#4194304        pulse  ft: 585 corp: 30/830b exec/s: 11491 rss: 63Mb
#4408819        NEW    ft: 590 corp: 31/899b exec/s: 11481 rss: 63Mb L: 69/126 MS: 5 EraseBytes-ShuffleBytes-ChangeBit-PersAutoDict-ChangeBit- DE: "\x08\x00"-
#4671070        NEW    ft: 592 corp: 32/915b exec/s: 11476 rss: 63Mb L: 16/126 MS: 1 ChangeBinInt-
#5857757        REDUCE ft: 592 corp: 32/874b exec/s: 11485 rss: 63Mb L: 49/126 MS: 1 EraseBytes-
#5942202        REDUCE ft: 592 corp: 32/871b exec/s: 11493 rss: 63Mb L: 14/126 MS: 4 EraseBytes-ChangeBinInt-ChangeBit-InsertByte-
#6279953        REDUCE ft: 592 corp: 32/842b exec/s: 11480 rss: 63Mb L: 85/126 MS: 5 CopyPart-PersAutoDict-PersAutoDict-EraseBytes-ChangeBit- DE: "\x08\x00"-"U\x08*t"-
#6430113        REDUCE ft: 592 corp: 32/836b exec/s: 11502 rss: 63Mb L: 43/126 MS: 4 InsertByte-ChangeByte-EraseBytes-ChangeBit-
#6652768        REDUCE ft: 592 corp: 32/821b exec/s: 11490 rss: 63Mb L: 28/126 MS: 5 CopyPart-EraseBytes-InsertByte-ChangeBit-PersAutoDict- DE: "\x08\x00"-
runtime: unexpected return pc for runtime.gopark called from 0xc000000600
stack: frame={sp:0xc00005adc0, fp:0xc00005ade0} stack=[0xc00005a000,0xc00005b000)
000000c00005acc0:  0000000000000001  0000000000000000
000000c00005acd0:  0000000000000000  000000c00005ad30
000000c00005ace0:  000000c00005ad00  00007fffcdf7d918
000000c00005acf0:  000000c00005ba50  000000c000050000
000000c00005ad00:  000000c00005ad30  00007fd62cea2056
000000c00005ad10:  0000000000000000  0000000005a33840
000000c00005ad20:  000000c00005ad70  00007fd62ddf835e
000000c00005ad30:  000000005f0eee3f  000000001e60a916
000000c00005ad40:  0000000000000060  efc7a313a2b36200
000000c00005ad50:  0000000000000001  00000000004195a5
000000c00005ad60:  000000000000002a  000000c00005ba50
000000c00005ad70:  000000c00005bb70  00007fd62db368a0
000000c00005ad80:  0000000000000007  0000000000000000
000000c00005ad90:  00007fd62e2df000  0000000000000000
000000c00005ada0:  0000000000008000  000000c000112400
000000c00005adb0:  0000000000000080  000000c000000480
000000c00005adc0: <0000000000000001  000000c00005ba50
000000c00005add0:  000000c000050000 !000000c000000600
000000c00005ade0: >0000000000000200  000000000000007a
000000c00005adf0:  0000000000000136  000000c00005bb70
000000c00005ae00:  000000000000002a  0000000001e5be00
000000c00005ae10:  0000000040000000  000000000000001e
000000c00005ae20:  000000c00005ba80  000000000058f21c <fmt.(*pp).doPrintf+6700>
000000c00005ae30:  0000000000000206  002b000000000033
000000c00005ae40:  0000000000000000  0000000000000000
000000c00005ae50:  0000000000000000  0000000000000000
000000c00005ae60:  000000c00005af40  000000c000096048
000000c00005ae70:  000000c00005af54  000000c0001c0300
000000c00005ae80:  0000000000000000  000000c00007c300
000000c00005ae90:  000000c00007c300  0000000000000000
000000c00005aea0:  0000000000000000  0000000000000000
000000c00005aeb0:  000000c0001c0438  000000c00004e7a0
000000c00005aec0:  0000000000000000  0000000000000000
000000c00005aed0:  0000000000000000  0000000000000000
fatal error: unknown caller pc

runtime stack:
runtime.throw(0x11bc34e, 0x11)
        runtime/panic.go:1116 +0x74
runtime.gentraceback(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xc0001c0300, 0x0, 0x0, 0x7fffffff, 0x7fd600cecb58, 0x0, 0x0, ...)
        runtime/traceback.go:273 +0x19ff
runtime.scanstack(0xc0001c0300, 0xc00003f698)
        runtime/mgcmark.go:739 +0x162
runtime.markroot.func1()
        runtime/mgcmark.go:226 +0xc3
runtime.markroot(0xc00003f698, 0xc00000000c)
        runtime/mgcmark.go:199 +0x2f5
runtime.gcDrain(0xc00003f698, 0x3)
        runtime/mgcmark.go:999 +0x10b
runtime.gcBgMarkWorker.func2()
        runtime/mgc.go:1940 +0x82
runtime.systemstack(0x0)
        runtime/asm_amd64.s:370 +0x63
runtime.mstart()
        runtime/proc.go:1041

goroutine 12 [GC worker (idle)]:
runtime.systemstack_switch()
        runtime/asm_amd64.s:330 fp=0xc000049760 sp=0xc000049758 pc=0x4c4ea0
runtime.gcBgMarkWorker(0xc00003e000)
        runtime/mgc.go:1927 +0x1c6 fp=0xc0000497d8 sp=0xc000049760 pc=0x47f3f6
runtime.goexit()
        runtime/asm_amd64.s:1373 +0x1 fp=0xc0000497e0 sp=0xc0000497d8 pc=0x4c6fe1
created by runtime.gcBgMarkStartWorkers
        runtime/mgc.go:1821 +0x79

goroutine 17 [runnable, locked to thread]:
runtime.goexit()
        runtime/asm_amd64.s:1373 +0x1

goroutine 6 [select (scan), 10 minutes]:
fatal error: unexpected signal during runtime execution
panic during panic
[signal SIGSEGV: segmentation violation code=0x1 addr=0x118 pc=0x4bb28c]

runtime stack:
runtime.throw(0x11d33b0, 0x2a)
        runtime/panic.go:1116 +0x74
runtime.sigpanic()
        runtime/signal_unix.go:679 +0x46e
runtime.gentraceback(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xc0001c0300, 0x0, 0x0, 0x64, 0x0, 0x0, 0x0, ...)
        runtime/traceback.go:261 +0x136c
runtime.traceback1(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xc0001c0300, 0x0)
        runtime/traceback.go:736 +0xf2
runtime.traceback(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xc0001c0300)
        runtime/traceback.go:690 +0x54
runtime.tracebackothers(0xc000000d80)
        runtime/traceback.go:944 +0x1ac
runtime.dopanic_m(0xc000000d80, 0x496fa4, 0x7fd600cec7c0, 0x1)
        runtime/panic.go:1322 +0x2b7
runtime.fatalthrow.func1()
        runtime/panic.go:1171 +0x61
runtime.fatalthrow()
        runtime/panic.go:1168 +0x59
runtime.throw(0x11bc34e, 0x11)
        runtime/panic.go:1116 +0x74
runtime.gentraceback(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xc0001c0300, 0x0, 0x0, 0x7fffffff, 0x7fd600cecb58, 0x0, 0x0, ...)
        runtime/traceback.go:273 +0x19ff
runtime.scanstack(0xc0001c0300, 0xc00003f698)
        runtime/mgcmark.go:739 +0x162
runtime.markroot.func1()
        runtime/mgcmark.go:226 +0xc3
runtime.markroot(0xc00003f698, 0xc00000000c)
        runtime/mgcmark.go:199 +0x2f5
runtime.gcDrain(0xc00003f698, 0x3)
        runtime/mgcmark.go:999 +0x10b
runtime.gcBgMarkWorker.func2()
        runtime/mgc.go:1940 +0x82
runtime.systemstack(0x0)
        runtime/asm_amd64.s:370 +0x63
runtime.mstart()
        runtime/proc.go:1041
==5123== ERROR: libFuzzer: deadly signal
    #0 0x462633  (/eth2fuzz/workspace/gofuzz/prysm_voluntary_exit.libfuzzer+0x462633)
    #1 0x4194d6  (/eth2fuzz/workspace/gofuzz/prysm_voluntary_exit.libfuzzer+0x4194d6)
    #2 0x41952f  (/eth2fuzz/workspace/gofuzz/prysm_voluntary_exit.libfuzzer+0x41952f)
    #3 0x7fd62db3689f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1289f)
    #4 0x4c8c20  (/eth2fuzz/workspace/gofuzz/prysm_voluntary_exit.libfuzzer+0x4c8c20)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 InsertRepeatedBytes-InsertRepeatedBytes-ChangeBinInt-ShuffleBytes-; base unit: dd2c09490242edc9a0f841d038657c899584bcc0
0x0,0x1,0x0,0x0,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0x5d,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x5d,0x5d,0x5d,0x5d,0xa6,0xa2,0xa2,0xa2,0x5d,0x0,0x1,0x5,0x40,0x0,0x1,0xf8,0x0,0x0,0x0,0x0,0x0,
\x00\x01\x00\x00]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff]]]]\xa6\xa2\xa2\xa2]\x00\x01\x05@\x00\x01\xf8\x00\x00\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-e1e5ad73574fcdfd44eae72b16ced5ec6574d5b6
Base64: AAEAAF1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV3/////////////////////////////////////XV1dXaaioqJdAAEFQAAB+AAAAAAA
Fuzzer failed so we'll continue with the next one

Your Environment

• Fuzzer ran: eth2fuzz
• Version/Commit used:
• Operating System and version: Ubuntu 20.04

[pventuzelo]

Thanks for the report. I'm not able to reproduce :s Testcase rejected as invalid ssz by prysm.

Maybe an error inside the fuzzer or inside golang runtime...