Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Crash/Fuzzing] IndexError during Attestation SSZ parsing (container empty) #931

Closed
pventuzelo opened this issue Apr 24, 2020 · 2 comments
Closed

Comments

@pventuzelo
Copy link

pventuzelo commented Apr 24, 2020

During fuzzing, I triggered an IndexError during parsing of Attestation ssz file with mainnet preset.

Error: unhandled exception: index out of bounds, the container is empty [IndexError]

Reproducing

Download:
IndexError_attestation_empty_container_nimbus_devel.zip

branch: devel
commit: fe30b24abad112a6fed9a6d4d18df1978f2350f6

Load the file using ncli_hash_tree_root:

$ make

$ cd ncli

$ ../env.sh nim c -d:const_preset=mainnet ncli_hash_tree_root

$ ./ncli_hash_tree_root --kind=attestation --file= IndexError_attestation_empty_container_nimbus_devel.ssz
Traceback (most recent call last, using override)
XXX/nim-beacon-chain/vendor/nim-confutils/confutils.nim(981) confutils
XXX/nim-beacon-chain/ncli/ncli_hash_tree_root2.nim(14) CLI
XXX/nim-beacon-chain/beacon_chain/ssz.nim(583) hash_tree_root
XXX/nim-beacon-chain/beacon_chain/ssz.nim(444) hashTreeRootImpl
XXX/nim-beacon-chain/beacon_chain/ssz.nim(570) hash_tree_root
XXX/nim-beacon-chain/beacon_chain/ssz.nim(466) bitlistHashTreeRoot
XXX/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system.nim(2515) X5BX5D
XXX/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/chcks.nim(23) raiseIndexError2
XXX/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/fatal.nim(51) sysFatal
XXX/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(407) reportUnhandledError
XXX/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(358) reportUnhandledErrorAux
Error: unhandled exception: index out of bounds, the container is empty [IndexError]
@tersec
Copy link
Contributor

tersec commented Apr 24, 2020

zcli refuses to even parse this one, so probably it's an SSZ parsing issue that leaks through to SSZ hashing:

$ zcli pretty attestation IndexError_attestation_empty_container_nimbus_devel.ssz 
cannot load input
cannot decode ssz: expected object length is larger than given bytesLen
$ zcli check attestation IndexError_attestation_empty_container_nimbus_devel.ssz 
cannot verify input
expected object length is larger than given bytesLen

https://github.com/ethereum/eth2.0-specs/blob/v0.11.1/ssz/simple-serialize.md#bitlistn notes that:

An additional 1 bit is added to the end, at index e where e is the length of the bitlist (not the limit), so that the length in bits will also be known.

and when it reaches bitlistHashTreeRoot it's just completely empty, not even the trailing 1 bit, which suggests again that the SSZ parsing is where it goes awry.

@tersec
Copy link
Contributor

tersec commented Apr 26, 2020

#936

@tersec tersec closed this as completed Apr 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants