Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Crash/Fuzzing] TypeError in ssz library during BeaconBlock deserialize #22

Closed
pventuzelo opened this issue May 18, 2020 · 1 comment · Fixed by #37
Closed

[Crash/Fuzzing] TypeError in ssz library during BeaconBlock deserialize #22

pventuzelo opened this issue May 18, 2020 · 1 comment · Fixed by #37
Assignees
@twoeths

Comments

@pventuzelo
Copy link

Describe the bug

During fuzzing with beaconfuzz, I found this TypeError crash inside ssz library when trying to deserialize a beaconblock.

Expected behavior

Should throw a custom Error.

Steps to Reproduce

crash_TypeError_block_lodestar.js:

var mainnet_1 = require("@chainsafe/lodestar-types/lib/ssz/presets/mainnet");

buf = Buffer.from('0100000000000000ae000000000000000a0a0a0a2a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a000000000000000000000000000000000000000000000000000000000000000054000000b69753a1c80a81b630fedc668c19ac093cbcc44fe1e294ff7164de52ef0f109a602b7065cb7b21f14a65cbcbbd4455960cef385d552e393e2d47b340cab50291ce81256c1b8239d6ebc1ab84ae2410f6b9fb3dc989e15a9fe9a4431393e1da5d0000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dc000000dc000000dc000000dc000000dc00ddff', 'hex')

mainnet_1.types.BeaconBlock.deserialize(buf);

Run:

$ npm i @chainsafe/lodestar-types

$ node crash_TypeError_block_lodestar.js
XXX/lodestar/node_modules/@chainsafe/ssz/lib/types/basic/uint.js:176
      output += BigInt(data[offset + i]) << BigInt(8 * i);
                ^

TypeError: Cannot convert undefined to a BigInt
    at BigInt (<anonymous>)
    at BigIntUintType.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/types/basic/uint.js:176:17)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:133:40
    at Array.forEach (<anonymous>)
    at ContainerStructuralHandler.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:112:39)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:135:51
    at Array.forEach (<anonymous>)
    at ContainerStructuralHandler.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:112:39)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/array.js:209:54
    at Function.from (<anonymous>)

Desktop (please complete the following information):
@mpetrunic mpetrunic transferred this issue from ChainSafe/lodestar May 18, 2020
@mpetrunic mpetrunic reopened this May 18, 2020
@pventuzelo
Copy link
Author

Extra information (zcli output):

$ zcli pretty block crash.bin
cannot load input
cannot decode ssz: cannot create scoped decoding reader, scope of 4292673536 bytes is bigger than parent scope has available space 0

@twoeths twoeths self-assigned this Jun 24, 2020
@twoeths twoeths mentioned this issue Jun 25, 2020
Merged
wemeetagain added a commit that referenced this issue Aug 26, 2021
@wemeetagain
Merge pull request #22 from ChainSafe/cayman/release
9c1ecee 
v0.2.3
wemeetagain added a commit that referenced this issue Sep 7, 2021
@wemeetagain
Merge pull request #22 from ChainSafe/publish.yml
d544305 
Add publish.yml to publish via github pages using github actions rather than travis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twoeths twoeths

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validation for fromBytes ChainSafe/ssz
4 participants
@wemeetagain @mpetrunic @pventuzelo @twoeths