blob: VerifyCommitProof.Verify panics with "panic: runtime error: slice bounds out of range [:1] with capacity 0" for given simple repro #3729

odeke-em · 2024-09-15T02:45:51Z

Celestia Node version

1a1286f

OS

darwin

Install tools

No response

Others

No response

Steps to reproduce it

package blob_test

import (
        "testing"
        
        "github.com/celestiaorg/celestia-node/blob"
        "github.com/celestiaorg/nmt"
        "github.com/celestiaorg/nmt/pb"
)       
        
func TestCommitmentProofVerifySliceBound(t *testing.T) {
        proof := nmt.ProtoToProof(pb.Proof{End: 1})
        cp := &blob.CommitmentProof{
                SubtreeRootProofs: []*nmt.Proof{
                        &proof,
                },
        }
        _, _ = cp.Verify(nil, 1)
}

Expected result

No panic, but just an error perhaps

Actual result

--- FAIL: FuzzCommitmentProofVerify (0.02s)
    --- FAIL: FuzzCommitmentProofVerify/6a2b4b982dc67bf9 (0.00s)
panic: runtime error: slice bounds out of range [:1] with capacity 0 [recovered]
	panic: runtime error: slice bounds out of range [:1] with capacity 0

goroutine 13 [running]:
testing.tRunner.func1.2({0x107f22820, 0xc00054d950})
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/testing/testing.go:1632 +0x230
testing.tRunner.func1()
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/testing/testing.go:1635 +0x35e
panic({0x107f22820?, 0xc00054d950?})
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/runtime/panic.go:785 +0x132
github.com/celestiaorg/celestia-node/blob.(*CommitmentProof).Verify(0xc0015897c0, {0x0, 0x0, 0x0}, 0x1)
	/Users/emmanuelodeke/go/src/github.com/celestiaorg/celestia-node/blob/commitment_proof.go:121 +0x73d
github.com/celestiaorg/celestia-node/blob.FuzzCommitmentProofVerify.func1(0x0?, {0xc00005d900, 0x4a, 0x50})
	/Users/emmanuelodeke/go/src/github.com/celestiaorg/celestia-node/blob/blob_fuzz_test.go:85 +0x172
reflect.Value.call({0x107ccd9a0?, 0x108067190?, 0x13?}, {0x107208138, 0x4}, {0xc001551e90, 0x2, 0x2?})
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/reflect/value.go:581 +0xca6
reflect.Value.Call({0x107ccd9a0?, 0x108067190?, 0x105becfad?}, {0xc001551e90?, 0x108062e00?, 0xf?})
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/reflect/value.go:365 +0xb9
testing.(*F).Fuzz.func1.1(0xc000655a00?)
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/testing/fuzz.go:335 +0x305
testing.tRunner(0xc000655a00, 0xc00140cfc0)
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/testing/testing.go:1690 +0xf4
created by testing.(*F).Fuzz.func1 in goroutine 12
	/Users/emmanuelodeke/go/pkg/mod/golang.org/[email protected]/src/testing/fuzz.go:322 +0x577
exit status 2
FAIL	github.com/celestiaorg/celestia-node/blob	1.527s

Suggested fix

diff --git a/blob/commitment_proof.go b/blob/commitment_proof.go
index 8fa74671..3975b528 100644
--- a/blob/commitment_proof.go
+++ b/blob/commitment_proof.go
@@ -108,6 +108,15 @@ func (commitmentProof *CommitmentProof) Verify(root []byte, subtreeRootThreshold
 		if err != nil {
 			return false, err
 		}
+
+		if len(commitmentProof.SubtreeRoots) < subtreeRootsCursor {
+			return false, fmt.Errorf("len(commitmentProof.SubtreeRoots)=%d < subtreeRootsCursor=%d",
+				len(commitmentProof.SubtreeRoots), subtreeRootsCursor)
+		}
+		if len(commitmentProof.SubtreeRoots) < subtreeRootsCursor+len(ranges) {
+			return false, fmt.Errorf("len(commitmentProof.SubtreeRoots)=%d < subtreeRootsCursor+len(ranges)=%d",
+				len(commitmentProof.SubtreeRoots), subtreeRootsCursor+len(ranges))
+		}
+
 		valid, err := subtreeRootProof.VerifySubtreeRootInclusion(
 			nmtHasher,
 			commitmentProof.SubtreeRoots[subtreeRootsCursor:subtreeRootsCursor+len(ranges)],

/cc @liamsi @rootulp @musalbas

Relevant log output

No response

Is the node "stuck"? Has it stopped syncing?

No response

Notes

No response

The text was updated successfully, but these errors were encountered:

This changes adds fuzzers+corpra that found some bugs, along with tests and reproducers to catch future regressions. Fixes celestiaorg#3727 Fixes celestiaorg#3728 Fixes celestiaorg#3729 Fixes celestiaorg#3730 Fixes celestiaorg#3731

odeke-em added the bug Something isn't working label Sep 15, 2024

github-actions bot added the external Issues created by non node team members label Sep 15, 2024

odeke-em linked a pull request Sep 16, 2024 that will close this issue

fix(blob): add fixes along with the fuzzers that discovered them #3732

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

blob: VerifyCommitProof.Verify panics with "panic: runtime error: slice bounds out of range [:1] with capacity 0" for given simple repro #3729

blob: VerifyCommitProof.Verify panics with "panic: runtime error: slice bounds out of range [:1] with capacity 0" for given simple repro #3729

odeke-em commented Sep 15, 2024 •

edited

Loading

blob: VerifyCommitProof.Verify panics with "panic: runtime error: slice bounds out of range [:1] with capacity 0" for given simple repro #3729

blob: VerifyCommitProof.Verify panics with "panic: runtime error: slice bounds out of range [:1] with capacity 0" for given simple repro #3729

Comments

odeke-em commented Sep 15, 2024 • edited Loading

Celestia Node version

OS

Install tools

Others

Steps to reproduce it

Expected result

Actual result

Suggested fix

Relevant log output

Is the node "stuck"? Has it stopped syncing?

Notes

odeke-em commented Sep 15, 2024 •

edited

Loading