[Fuzzing] Crash on nfuzz_attestation

Question

[Fuzzing] Crash on nfuzz_attestation

mratsim opened this issue 5 years ago · 8 comments

mratsim commented 5 years ago

See the fuzzing input pinned in the fuzzing discord channel.

Answer 1 · 2019-12-23T15:35:20.000Z

attach files here, note version?

Answer 2 · 2019-12-27T04:45:21.000Z

A bit annoying I can't attach the ssz directly:
nim_attestation_crash.ssz

This is a BeaconState + Attestation ssz container that, when passed to nfuzz_attestation, triggers the following assertion:
nim_attestation_trace.txt

Answer 3 · 2019-12-31T15:31:07.000Z

I haven't investigated this scenario, but I assume this highlights a gap in our consensus tests.
Am I correct in that assumption?

Also, can someone add me to the fuzzing discord?

Answer 4 · 2020-01-02T03:30:17.000Z

I think I've narrowed it down:
I can't see any equivalent in nim-beacon-chain for the following
assert data.index < get_committee_count_at_slot(state, data.slot) (https://github.com/ethereum/eth2.0-specs/blob/dev/specs/core/0_beacon-chain.md#attestations).

Because a larger index is allowed through, index > count is possible in compute_committee, and thus an endIdx > index_count.

Answer 5 · 2020-01-02T03:41:49.000Z

@djrtwo I'm not certain re concensus tests, as this is effectively a "crash" of nim-beacon-chain, when it should return false (allowing nimbus to continue running).
If it's possible for the consensus tests to differentiate between an error return and a crash, then this could be a gap in the tests.

In pyspec, this would be triggering an AssertionError anyway. If the above understanding of the bug is correct, an equivalent bug in the pyspec would be for assert data.index < get_committee_count_at_slot(state, data.slot) to be missing from process_attestation, and the input triggers a different Assert in compute_shuffled_index: assert index < index_count

If the tests are only checking whether an assert is triggered, they would not be able to differentiate between these.

Can someone confirm whether my understanding is correct?

Answer 6 · 2020-01-02T13:51:26.000Z

Interesting, I see.

That said, this codepath is clearly not triggered in Nimbus during the consensus tests. It seems likely that we can and should craft a consensus test that would trigger this code path.

I'll monitor this thread and make a call when y'all post a fix

Answer 7 · 2020-01-28T10:09:59.000Z

In theory, this should be fixed in devel now.

Answer 8 · 2020-01-29T08:59:10.000Z

Feel free to re-open if this isn't, in fact, fixed.