[FUZZ] Beaconfuzz_v2 crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb in proposer_slashing

[Daft-Wullie]

I've identified a fuzzer crash and am contributing to the security of Ethereum 2!

I've done and provided the following:

• [x] Checked to see if any other [FUZZ] issue already refers to that crasher
• [x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• [x] Noted the beacon-fuzz version or commit used.
• [x] Provided crash output
• [x] Noted the command or fuzzer used to generate the crash
• [x] Name of the original crash file
• [x] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. make fuzz_proposer_slashing-struct

• Crasher file name: crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb.zip

• Client exercised: Prysm(?)

• Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/proposer_slashing.rs:64:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==18650== ERROR: libFuzzer: fuzz target exited
    #0 0x560599687901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb8d901)
    #1 0x56059bae8a00  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2feea00)
    #2 0x56059bafd76b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300376b)
    #3 0x7f093d17ea26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f093d17ebdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x5605998b3e4c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xdb9e4c)
    #6 0x7f093d17b20f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f093d17b18a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f093d15a858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x56059bbaf5e6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b55e6)
    #10 0x56059bb988d5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x309e8d5)
    #11 0x56059badbf46  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe1f46)
    #12 0x56059bb9fb17  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30a5b17)
    #13 0x560599967194  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6d194)
    #14 0x560599966d39  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6cd39)
    #15 0x560599967034  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6d034)
    #16 0x560599970398  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe76398)
    #17 0x56059997161c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe7761c)
    #18 0x5605997a0b8f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xca6b8f)
    #19 0x560599728e08  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xc2ee08)
    #20 0x56059badbf70  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe1f70)
    #21 0x56059badbbcf  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe1bcf)
    #22 0x56059bafdbcc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3003bcc)
    #23 0x56059bb05d80  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300bd80)
    #24 0x56059bb0673c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300c73c)
    #25 0x56059bb08b3f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300eb3f)
    #26 0x56059bada119  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe0119)
    #27 0x5605996044b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb0a4b6)
    #28 0x7f093d15c0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #29 0x56059960465d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb0a65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 3 InsertByte-ChangeBinInt-CopyPart-; base unit: 60fefc0d09bfe291446f7d226fc99ade6570abb2
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xb4,0x0,0xf9,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x00\xf9\x00\x00\x00\x00\x00\x00\x00\x00\x0a
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb
Base64: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALQA+QAAAAAAAAAACg==

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb

Output of `std::fmt::Debug`:

        ProposerSlashing {
            signed_header_1: SignedBeaconBlockHeader {
                message: BeaconBlockHeader {
                    slot: Slot(0),
                    proposer_index: 0,
                    parent_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    state_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    body_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                signature: 0xb400f900000000000000000a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
            },
            signed_header_2: SignedBeaconBlockHeader {
                message: BeaconBlockHeader {
                    slot: Slot(0),
                    proposer_index: 0,
                    parent_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    state_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    body_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
            },
        }

Reproduce with:

        cargo fuzz run struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb

Minimize test case with:

        cargo fuzz tmin struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb

re ran crasher file to reproduce with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb and got

    Finished release [optimized] target(s) in 0.35s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/ fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb`
INFO: Seed: 1039665225
INFO: Loaded 1 modules   (201878 inline 8-bit counters): 201878 [0x5629d62f2461, 0x5629d63238f7),
INFO: Loaded 1 PC tables (201878 PCs): 201878 [0x5629d63238f8,0x5629d6638258),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_proposer_slashing/crash-47cbee6a7c0a7ffc861605bd9b557966e0e9f3cb
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Could not get rough time result: no reply     prefix=roughtime
ERRO[0021] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/proposer_slashing.rs:64:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==20440== ERROR: libFuzzer: fuzz target exited
    #0 0x5629d2c7c901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xc0b901)
    #1 0x5629d512f730  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30be730)
    #2 0x5629d514449b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30d349b)
    #3 0x7fc2f2489a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fc2f2489bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x5629d2eb2f2c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe41f2c)
    #6 0x7fc2f248620f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fc2f248618a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fc2f2465858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x5629d51f65c6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x31855c6)
    #10 0x5629d51df8b5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x316e8b5)
    #11 0x5629d5122c76  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b1c76)
    #12 0x5629d51e6af7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3175af7)
    #13 0x5629d2f66294  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef5294)
    #14 0x5629d2f65e39  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef4e39)
    #15 0x5629d2f66134  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef5134)
    #16 0x5629d2f6f498  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xefe498)
    #17 0x5629d2f7071c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xeff71c)
    #18 0x5629d2d9b68f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xd2a68f)
    #19 0x5629d2d21e49  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xcb0e49)
    #20 0x5629d5122ca0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b1ca0)
    #21 0x5629d51228ff  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b18ff)
    #22 0x5629d51448fc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30d38fc)
    #23 0x5629d5115a09  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30a4a09)
    #24 0x5629d511f802  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30ae802)
    #25 0x5629d2bf94b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb884b6)
    #26 0x7fc2f24670b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x5629d2bf965d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb8865d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

• Fuzzer ran: beaconfuzz_v2
• Version/Commit used: 9404192
• Operating System and version: Ubuntu 20.04

[Daft-Wullie]

could be a duplicate of #74 reporting in case it's something different.

[zedt3ster]

Thanks for reporting @Daft-Wullie ! This indeed a duplicate of #74