[FUZZ] Beaconfuzz_v2 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 in attestation

Daft-Wullie commented 4 years ago

I've done and provided the following:

[x] Checked to see if any other [FUZZ] issue already refers to that crasher
[x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
[x] Noted the beacon-fuzz version or commit used.
[x] Provided crash output
[x] Noted the command or fuzzer used to generate the crash
[x] Name of the original crash file
[x] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

Command run: e.g. make fuzz_attestation-struct
Crasher file name: crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703.zip
Client exercised: N/A
Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
  left: `true`,
 right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==50522== ERROR: libFuzzer: fuzz target exited
    #0 0x560d16bd0901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8f901)
    #1 0x560d1903ac40  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2ff9c40)
    #2 0x560d1904f9ab  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300e9ab)
    #3 0x7fbcd1916a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fbcd1916bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x560d16e0609c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xdc509c)
    #6 0x7fbcd191320f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fbcd191318a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fbcd18f2858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x560d19101826  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30c0826)
    #10 0x560d190eab15  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30a9b15)
    #11 0x560d1902e186  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed186)
    #12 0x560d190f1d57  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0d57)
    #13 0x560d190f1908  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0908)
    #14 0x560d190ecdeb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30abdeb)
    #15 0x560d190f18c8  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b08c8)
    #16 0x560d190f187a  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b087a)
    #17 0x560d16ce60d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xca50d7)
    #18 0x560d16c7ae20  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc39e20)
    #19 0x560d1902e1b0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed1b0)
    #20 0x560d1902de0f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fece0f)
    #21 0x560d1904fe0c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300ee0c)
    #22 0x560d19057fc0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3016fc0)
    #23 0x560d1905897c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x301797c)
    #24 0x560d1905ad7f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3019d7f)
    #25 0x560d1902c359  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2feb359)
    #26 0x560d16b4d4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c4b6)
    #27 0x7fbcd18f40b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #28 0x560d16b4d65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 1 ChangeBit-; base unit: cdff3762ea86eff7b43bc28dc652fea4c759d950
0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8f,0xfe,0xfe,0xfe,0xfe,
\x02\x00\x00\x00\x00\x00\x00\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xfe\xfe\xfe\xfe
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Base64: AgAAAAAAAAADAQAAAAAAAAAAAQAAAAAAAAAAj/7+/v4=

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Output of `std::fmt::Debug`:

        Attestation {
            aggregation_bits: Bitfield {
                bytes: [
                    3,
                ],
                len: 8,
                _phantom: PhantomData,
            },
            data: AttestationData {
                slot: Slot(0),
                index: 1,
                beacon_block_root: 0x008ffefefefe0000000000000000000000000000000000000000000000000000,
                source: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                target: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Minimize test case with:

        cargo fuzz tmin struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

────────────────────────────────────────────────────────────────────────────────

re ran crashing input with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 and got:

    Finished release [optimized] target(s) in 0.33s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/ fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703`
INFO: Seed: 2679127849
INFO: Loaded 1 modules   (202179 inline 8-bit counters): 202179 [0x56389d815461, 0x56389d846a24),
INFO: Loaded 1 PC tables (202179 PCs): 202179 [0x56389d846a28,0x56389db5c658),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/attestation.rs:61:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==56664== ERROR: libFuzzer: fuzz target exited
    #0 0x56389a194901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc0e901)
    #1 0x56389c650970  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30ca970)
    #2 0x56389c6656db  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30df6db)
    #3 0x7fa71f9eca26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fa71f9ecbdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x56389a3d417c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xe4e17c)
    #6 0x7fa71f9e920f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fa71f9e918a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fa71f9c8858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x56389c717806  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3191806)
    #10 0x56389c700af5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317aaf5)
    #11 0x56389c643eb6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdeb6)
    #12 0x56389c707d37  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181d37)
    #13 0x56389a4874d4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf014d4)
    #14 0x56389a487079  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01079)
    #15 0x56389a487374  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01374)
    #16 0x56389a48ce5b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf06e5b)
    #17 0x56389a4916dc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf0b6dc)
    #18 0x56389a2ae0da  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xd280da)
    #19 0x56389a242e6e  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xcbce6e)
    #20 0x56389c643ee0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdee0)
    #21 0x56389c643b3f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdb3f)
    #22 0x56389c665b3c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30dfb3c)
    #23 0x56389c636c49  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0c49)
    #24 0x56389c640a42  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30baa42)
    #25 0x56389a1114b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b4b6)
    #26 0x7fa71f9ca0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x56389a11165d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b65d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

Fuzzer ran: beaconfuzz_v2
Version/Commit used: 9404192
Operating System and version: Ubuntu 20.04

pventuzelo commented 3 years ago

For analysis, here is a package with:

attestation.ssz  beacon.ssz  output_beaconfuzz_debug.txt  prysm_post.ssz

issue_78_attestation.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz attestation.ssz attestation

FYI,

lighthouse reject this voluntaryexit processing with the error: AttestationInvalid { index: 0, reason: BadCommitteeIndex }
prysm accept the voluntaryexit processing
nimbus reject the voluntaryexit processing

zedt3ster commented 3 years ago

I believe this should have been resolved by the Prysm team in this PR. @pventuzelo could you please rebuild the libpfuzz library and see if we can reproduce?

pventuzelo commented 3 years ago

@zedt3ster Even with the last version I got the same issue

prestonvanloon commented 3 years ago

This issue was fixed in Prysm and released today in beta.1. Thanks!

zedt3ster commented 3 years ago

Confirmed this is a valid bug, see this PR for more details. Thanks @Daft-Wullie for reporting!

sigp / beacon-fuzz