[FUZZ] Beaconfuzz_v2 crash-e63668ea501e77231d973e7594bed483fbe5cbc5 in struct_attestation

[Daft-Wullie]

I've identified a fuzzer crash and am contributing to the security of Ethereum 2!

I've done and provided the following:

• [x] Checked to see if any other [FUZZ] issue already refers to that crasher
• [x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• [x] Noted the beacon-fuzz version or commit used.
• [x] Provided crash output
• [x] Noted the command or fuzzer used to generate the crash
• [x] Name of the original crash file
• [x] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. `make fuzz_attestation-struct

• Crasher file name: crash-e63668ea501e77231d973e7594bed483fbe5cbc5 crash-e63668ea501e77231d973e7594bed483fbe5cbc5.zip

• beaconstate: adff0fb65525fcb1f08ecf09c1898dea.ssz

• Client exercised: N/A

• Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

#8192   pulse  cov: 1529 ft: 1781 corp: 41/2319b lim: 337 exec/s: 37 rss: 402Mb
thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
  left: `true`,
 right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==7854== ERROR: libFuzzer: fuzz target exited
    #0 0x55605a9ec901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8f901)
    #1 0x55605ce56ec0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2ff9ec0)
    #2 0x55605ce6bc2b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300ec2b)
    #3 0x7f9ea80faa26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f9ea80fabdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x55605ac2227c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xdc527c)
    #6 0x7f9ea80f720f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f9ea80f718a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f9ea80d6858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x55605cf1daa6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30c0aa6)
    #10 0x55605cf06d95  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30a9d95)
    #11 0x55605ce4a406  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed406)
    #12 0x55605cf0dfd7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0fd7)
    #13 0x55605cf0db88  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0b88)
    #14 0x55605cf0906b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30ac06b)
    #15 0x55605cf0db48  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0b48)
    #16 0x55605cf0dafa  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0afa)
    #17 0x55605ab020d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xca50d7)
    #18 0x55605aa96e20  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc39e20)
    #19 0x55605ce4a430  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed430)
    #20 0x55605ce4a08f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed08f)
    #21 0x55605ce6c08c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300f08c)
    #22 0x55605ce74240  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3017240)
    #23 0x55605ce74bfc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3017bfc)
    #24 0x55605ce76fff  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3019fff)
    #25 0x55605ce485d9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2feb5d9)
    #26 0x55605a9694b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c4b6)
    #27 0x7f9ea80d80b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #28 0x55605a96965d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 2 ShuffleBytes-PersAutoDict- DE: "\x01\x00\x00\x00"-; base unit: b8e500a54ff76057437e183673bcc878414e37ef
0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x71,0x8,0xfe,0xc5,0xfe,0xfe,
\x02\x00\x00\x00\x00\x00\x00\x00\x0f\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00q\x08\xfe\xc5\xfe\xfe
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5
Base64: AgAAAAAAAAAPAQAAAAAAAAAAAQAAAAAAAABxCP7F/v4=

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5

Output of `std::fmt::Debug`:

        Attestation {
            aggregation_bits: Bitfield {
                bytes: [
                    15,
                ],
                len: 8,
                _phantom: PhantomData,
            },
            data: AttestationData {
                slot: Slot(0),
                index: 1,
                beacon_block_root: 0x7108fec5fefe0000000000000000000000000000000000000000000000000000,
                source: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                target: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5

Minimize test case with:

        cargo fuzz tmin struct_attestation fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5

────────────────────────────────────────────────────────────────────────────────

re run crasher file with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5 and got:

    Finished release [optimized] target(s) in 0.85s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/ fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5`
INFO: Seed: 757559807
INFO: Loaded 1 modules   (202208 inline 8-bit counters): 202208 [0x55ac46fd0461, 0x55ac47001a41),
INFO: Loaded 1 PC tables (202208 PCs): 202208 [0x55ac47001a48,0x55ac47317848),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_attestation/crash-e63668ea501e77231d973e7594bed483fbe5cbc5
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
  left: `true`,
 right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==12049== ERROR: libFuzzer: fuzz target exited
    #0 0x55ac4394e901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc0e901)
    #1 0x55ac45e0abf0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30cabf0)
    #2 0x55ac45e1f95b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30df95b)
    #3 0x7f01e33b6a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f01e33b6bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x55ac43b8e35c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xe4e35c)
    #6 0x7f01e33b320f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f01e33b318a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f01e3392858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x55ac45ed1a86  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3191a86)
    #10 0x55ac45ebad75  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317ad75)
    #11 0x55ac45dfe136  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30be136)
    #12 0x55ac45ec1fb7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181fb7)
    #13 0x55ac45ec1b68  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181b68)
    #14 0x55ac45ebd04b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317d04b)
    #15 0x55ac45ec1b28  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181b28)
    #16 0x55ac45ec1ada  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181ada)
    #17 0x55ac43a69bd7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xd29bd7)
    #18 0x55ac439fce6e  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xcbce6e)
    #19 0x55ac45dfe160  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30be160)
    #20 0x55ac45dfddbf  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bddbf)
    #21 0x55ac45e1fdbc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30dfdbc)
    #22 0x55ac45df0ec9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0ec9)
    #23 0x55ac45dfacc2  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bacc2)
    #24 0x55ac438cb4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b4b6)
    #25 0x7f01e33940b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #26 0x55ac438cb65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b65d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

• Fuzzer ran: beaconfuzz_v2
• Version/Commit used: a99115b
• Operating System and version: Ubuntu 20.04

[Daft-Wullie]

unsure if same as #78, reporting in case it's different.

[pventuzelo]

For analysis, here is a package with:

attestation.ssz  beacon.ssz  output_beaconfuzz_debug.txt  prysm_post.ssz

issue_85_attestation.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz attestation.ssz attestation

FYI,

• lighthouse reject this voluntaryexit processing with the error: AttestationInvalid { index: 0, reason: BadCommitteeIndex }
• prysm accept the voluntaryexit processing
• nimbus reject the voluntaryexit processing

Look similar than #78, let keep this one open as well for the moment.

[zedt3ster]

Yup, confirmed this is a duplicate of #78