Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FUZZ] Beaconfuzz_v2 crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 in attestation #78

Closed
7 tasks done
Daft-Wullie opened this issue Sep 22, 2020 · 5 comments · Fixed by prysmaticlabs/prysm#7684
Closed
7 tasks done
Labels
crash confirmed Crash is confirmed and developers are notified prysm

Comments

@Daft-Wullie
Copy link

I've done and provided the following:

  • Checked to see if any other [FUZZ] issue already refers to that crasher
  • Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
  • Noted the beacon-fuzz version or commit used.
  • Provided crash output
  • Noted the command or fuzzer used to generate the crash
  • Name of the original crash file
  • (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

Crash output and stacktrace

thread '<unnamed>' panicked at 'assertion failed: `(left == right)`
  left: `true`,
 right: `false`', /home/beacon-fuzz/beaconfuzz_v2/libs/eth2clientsfuzz/src/attestation.rs:85:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==50522== ERROR: libFuzzer: fuzz target exited
    #0 0x560d16bd0901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8f901)
    #1 0x560d1903ac40  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2ff9c40)
    #2 0x560d1904f9ab  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300e9ab)
    #3 0x7fbcd1916a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fbcd1916bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x560d16e0609c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xdc509c)
    #6 0x7fbcd191320f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fbcd191318a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fbcd18f2858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x560d19101826  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30c0826)
    #10 0x560d190eab15  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30a9b15)
    #11 0x560d1902e186  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed186)
    #12 0x560d190f1d57  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0d57)
    #13 0x560d190f1908  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0908)
    #14 0x560d190ecdeb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30abdeb)
    #15 0x560d190f18c8  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b08c8)
    #16 0x560d190f187a  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b087a)
    #17 0x560d16ce60d7  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xca50d7)
    #18 0x560d16c7ae20  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc39e20)
    #19 0x560d1902e1b0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fed1b0)
    #20 0x560d1902de0f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2fece0f)
    #21 0x560d1904fe0c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x300ee0c)
    #22 0x560d19057fc0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3016fc0)
    #23 0x560d1905897c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x301797c)
    #24 0x560d1905ad7f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3019d7f)
    #25 0x560d1902c359  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x2feb359)
    #26 0x560d16b4d4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c4b6)
    #27 0x7fbcd18f40b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #28 0x560d16b4d65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb0c65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 1 ChangeBit-; base unit: cdff3762ea86eff7b43bc28dc652fea4c759d950
0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8f,0xfe,0xfe,0xfe,0xfe,
\x02\x00\x00\x00\x00\x00\x00\x00\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x8f\xfe\xfe\xfe\xfe
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
Base64: AgAAAAAAAAADAQAAAAAAAAAAAQAAAAAAAAAAj/7+/v4=

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Output of `std::fmt::Debug`:

        Attestation {
            aggregation_bits: Bitfield {
                bytes: [
                    3,
                ],
                len: 8,
                _phantom: PhantomData,
            },
            data: AttestationData {
                slot: Slot(0),
                index: 1,
                beacon_block_root: 0x008ffefefefe0000000000000000000000000000000000000000000000000000,
                source: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                target: Checkpoint {
                    epoch: Epoch(0),
                    root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
            },
            signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
        }

Reproduce with:

        cargo fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703

Minimize test case with:

        cargo fuzz tmin struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703


────────────────────────────────────────────────────────────────────────────────

re ran crashing input with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_attestation fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703 and got:

    Finished release [optimized] target(s) in 0.33s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_attestation/ fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703`
INFO: Seed: 2679127849
INFO: Loaded 1 modules   (202179 inline 8-bit counters): 202179 [0x56389d815461, 0x56389d846a24),
INFO: Loaded 1 PC tables (202179 PCs): 202179 [0x56389d846a28,0x56389db5c658),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_attestation/crash-04bf9c907f05466a1bf0d9f203f30dacb2f19703
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/attestation.rs:61:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==56664== ERROR: libFuzzer: fuzz target exited
    #0 0x56389a194901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xc0e901)
    #1 0x56389c650970  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30ca970)
    #2 0x56389c6656db  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30df6db)
    #3 0x7fa71f9eca26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7fa71f9ecbdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x56389a3d417c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xe4e17c)
    #6 0x7fa71f9e920f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7fa71f9e918a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7fa71f9c8858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x56389c717806  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3191806)
    #10 0x56389c700af5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x317aaf5)
    #11 0x56389c643eb6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdeb6)
    #12 0x56389c707d37  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x3181d37)
    #13 0x56389a4874d4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf014d4)
    #14 0x56389a487079  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01079)
    #15 0x56389a487374  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf01374)
    #16 0x56389a48ce5b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf06e5b)
    #17 0x56389a4916dc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xf0b6dc)
    #18 0x56389a2ae0da  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xd280da)
    #19 0x56389a242e6e  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xcbce6e)
    #20 0x56389c643ee0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdee0)
    #21 0x56389c643b3f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30bdb3f)
    #22 0x56389c665b3c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30dfb3c)
    #23 0x56389c636c49  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30b0c49)
    #24 0x56389c640a42  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0x30baa42)
    #25 0x56389a1114b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b4b6)
    #26 0x7fa71f9ca0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x56389a11165d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_attestation+0xb8b65d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

  • Fuzzer ran: beaconfuzz_v2
  • Version/Commit used: 9404192
  • Operating System and version: Ubuntu 20.04
@pventuzelo
Copy link
Contributor

For analysis, here is a package with:

attestation.ssz  beacon.ssz  output_beaconfuzz_debug.txt  prysm_post.ssz

issue_78_attestation.zip

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz attestation.ssz attestation

FYI,

  • lighthouse reject this voluntaryexit processing with the error:
    AttestationInvalid { index: 0, reason: BadCommitteeIndex }
  • prysm accept the voluntaryexit processing
  • nimbus reject the voluntaryexit processing

@zedt3ster
Copy link
Member

I believe this should have been resolved by the Prysm team in this PR. @pventuzelo could you please rebuild the libpfuzz library and see if we can reproduce?

@pventuzelo
Copy link
Contributor

@zedt3ster Even with the last version I got the same issue

prestonvanloon added a commit to prysmaticlabs/prysm that referenced this issue Oct 30, 2020
prylabs-bulldozer bot pushed a commit to prysmaticlabs/prysm that referenced this issue Oct 30, 2020
* Add failing test to verify sigp/beacon-fuzz#78

* revert beacon-chain/core/blocks/spectest/attestation_test.go

* Describe bug in comments, fix bug

* 1
@prestonvanloon
Copy link

This issue was fixed in Prysm and released today in beta.1. Thanks!

@zedt3ster
Copy link
Member

Confirmed this is a valid bug, see this PR for more details. Thanks @Daft-Wullie for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crash confirmed Crash is confirmed and developers are notified prysm
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants