-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fuzzing] Illegal Index Array Access in Attester Slashing Processing #2345
Comments
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
While fuzzing Teku's Attester Slashing processing using beacon-fuzz, I triggered the following exception:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index -1953788990 out of bounds for length 256
Note that this was triggered using a valid
BeaconState
, and the relatedAttesterSlashing
SSZ container can be successfully parsed using zcli.From a quick glance, the affected code seems to be:
https://github.com/PegaSysEng/teku/blob/d9fdf128e70b7cc4d5d0b556f1bea20f17b7bf22/ssz/src/main/java/tech/pegasys/teku/ssz/backing/cache/ArrayIntCache.java#L68-L76
Steps to Reproduce (Bug)
BeaconState
andAttesterSlashing
containers can be downloaded here.We have a small utility to reproduce this bug, as part of
eth2fuzz
:eth2fuzz
docker container, described here (i.e.make teku
).beacon-fuzz/eth2fuzz/workspace/javafuzz
eth2fuzz
directory):docker run -v $(pwd)/workspace:/eth2fuzz/workspace --entrypoint=bash -it eth2fuzz_teku
cd workspace/javafuzz/
&&javac -cp .:$(./tekuclass.sh) TekuFuzz.java
DEBUG_BEACONSTATE=beaconstate.ssz DEBUG_CONTAINER=ssz3.ssz CLASSPATH=$CLASSPATH:$(./tekuclass.sh) java TekuFuzz
Versions
master
openjdk version "11.0.7" 2020-04-14
Ubuntu 18.04.4 LTS
The text was updated successfully, but these errors were encountered: