[FUZZ] Beaconfuzz_v2 crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95 in struct_voluntary_exit

[Daft-Wullie]

I've identified a fuzzer crash and am contributing to the security of Ethereum 2!

I've done and provided the following:

• [x] Checked to see if any other [FUZZ] issue already refers to that crasher
• [x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• [x] Noted the beacon-fuzz version or commit used.
• [x] Provided crash output
• [x] Noted the command or fuzzer used to generate the crash
• [x] Name of the original crash file
• [x] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. make fuzz_voluntary_exit-struct

• Crasher file name: crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95 crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95.zip

• Beaconstate to replicate: 4931bbe36f820db3e798e9b06c52e1b2.ssz (i think, not sure as i had multiple PIDs,wasn't monitoring closely)

• Client exercised: prysm(?)

• Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

Slowest unit: 20 s:
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/slow-unit-1614bb477c022cfcc7607c32a20d270b09071d85
Base64: CgoKCgoEAADfAAAAAAAAAA==
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/voluntary_exit.rs:57:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==29109== ERROR: libFuzzer: fuzz target exited
    #0 0x5623c6802901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb8d901)
    #1 0x5623c8c636c0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fee6c0)
    #2 0x5623c8c7842b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300342b)
    #3 0x7f87ffb54a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f87ffb54bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x5623c6a2ea7c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xdb9a7c)
    #6 0x7f87ffb5120f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f87ffb5118a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f87ffb30858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x5623c8d2a2a6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b52a6)
    #10 0x5623c8d13595  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x309e595)
    #11 0x5623c8c56c06  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe1c06)
    #12 0x5623c8d1a7d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30a57d7)
    #13 0x5623c6ae1dd4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6cdd4)
    #14 0x5623c6ae1979  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6c979)
    #15 0x5623c6ae1c74  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe6cc74)
    #16 0x5623c6aeb899  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe76899)
    #17 0x5623c6aec2bc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe772bc)
    #18 0x5623c691e28d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xca928d)
    #19 0x5623c68a3863  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xc2e863)
    #20 0x5623c8c56c30  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe1c30)
    #21 0x5623c8c5688f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fe188f)
    #22 0x5623c8c7888c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300388c)
    #23 0x5623c8c80a40  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300ba40)
    #24 0x5623c8c81c1b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300cc1b)
    #25 0x5623c8c8368c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x300e68c)
    #26 0x5623c8c54dd9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x2fdfdd9)
    #27 0x5623c677f4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb0a4b6)
    #28 0x7f87ffb320b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #29 0x5623c677f65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb0a65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x61,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00a\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
Base64: AAAAAAAAAABhAAAAAAAAAA==

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95

Output of `std::fmt::Debug`:

        SignedVoluntaryExit {
            message: VoluntaryExit {
                epoch: Epoch(0),
                validator_index: 97,
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95

Minimize test case with:

        cargo fuzz tmin struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95

────────────────────────────────────────────────────────────────────────────────

re run crasher file with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_voluntary_exit fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95 and got:

    Finished release [optimized] target(s) in 0.45s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_voluntary_exit/ fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95`
INFO: Seed: 235623633
INFO: Loaded 1 modules   (201876 inline 8-bit counters): 201876 [0x55dc2b819461, 0x55dc2b84a8f5),
INFO: Loaded 1 PC tables (201876 PCs): 201876 [0x55dc2b84a8f8,0x55dc2bb5f238),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_voluntary_exit/crash-7085c8644d273e71ce76bae2e8f0ed7e08adea95
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/voluntary_exit.rs:57:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==32717== ERROR: libFuzzer: fuzz target exited
    #0 0x55dc281a3901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xc0b901)
    #1 0x55dc2a655e70  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30bde70)
    #2 0x55dc2a66abdb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30d2bdb)
    #3 0x7f310e25aa26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f310e25abdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x55dc283d95ac  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xe415ac)
    #6 0x7f310e25720f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f310e25718a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f310e236858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x55dc2a71cd06  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x3184d06)
    #10 0x55dc2a705ff5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x316dff5)
    #11 0x55dc2a6493b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b13b6)
    #12 0x55dc2a70d237  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x3175237)
    #13 0x55dc2848c914  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef4914)
    #14 0x55dc2848c4b9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef44b9)
    #15 0x55dc2848c7b4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xef47b4)
    #16 0x55dc284963d9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xefe3d9)
    #17 0x55dc28496dfc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xefedfc)
    #18 0x55dc282c47dd  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xd2c7dd)
    #19 0x55dc28248326  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xcb0326)
    #20 0x55dc2a6493e0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b13e0)
    #21 0x55dc2a64903f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30b103f)
    #22 0x55dc2a66b03c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30d303c)
    #23 0x55dc2a63c149  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30a4149)
    #24 0x55dc2a645f42  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0x30adf42)
    #25 0x55dc281204b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb884b6)
    #26 0x7f310e2380b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x55dc2812065d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_voluntary_exit+0xb8865d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

• Fuzzer ran:
• Version/Commit used:
• Operating System and version:

[pventuzelo]

For analysis, here is a package with:

• beacon_0298.ssz
• nimbus_and_prysm_post.ssz
• output_beaconfuzz_debug.txt
• voluntary_exit.ssz

issue_84_voluntary_exit.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon_0298.ssz voluntary_exit.ssz voluntaryexit

FYI,

• lighthouse reject this voluntaryexit processing with the error: BeaconStateError(CommitteeCacheUninitialized(Some(Current)))
• prysm accept the voluntaryexit processing
• nimbus accept the voluntaryexit processing

This look more like a bug into the fuzzer itself than a bug in lighthouse. @zedt3ster @gnattishness , Can you confirm this line should not be commented ? https://github.com/sigp/beacon-fuzz/blob/master/beaconfuzz_v2/libs/lighthouse/src/voluntary_exit.rs#L16

[zedt3ster]

Yup that's correct. We need to build the committee cache every epoch.

[pventuzelo]

fixed with: a99115b55c68e0f793882c00a9f5853586250985

new beaconfuzz output:

[LIGHTHOUSE] SSZ decoding true
[LIGHTHOUSE] Ok(())
[LIGHTHOUSE] Processing true
[PRYSM] Processing true
[NIMBUS] Processing true