diff --git a/.github/workflows/fuzz.yaml b/.github/workflows/fuzz.yaml index 65ee4c00f..329a4283c 100644 --- a/.github/workflows/fuzz.yaml +++ b/.github/workflows/fuzz.yaml @@ -92,7 +92,7 @@ jobs: fuzz: if: ${{ github.repository == 'chainguard-dev/malcontent' && needs.discover.outputs.targets != '[]' }} needs: discover - runs-on: ubuntu-latest-16-core + runs-on: ubuntu-latest permissions: contents: read strategy: @@ -107,7 +107,7 @@ jobs: --cap-add SETUID --cap-drop ALL --cgroupns private - --cpu-shares=16384 + --cpu-shares=4096 --memory-swappiness=0 --security-opt no-new-privileges --ulimit core=0 @@ -132,8 +132,9 @@ jobs: run: | make samples + # -parallel=1 is used for now due to this: https://github.com/golang/go/issues/56238 - name: Run fuzzer - ${{ matrix.target.test }} env: FUZZ_TIME: ${{ inputs.fuzz_time || '30s' }} run: | - go test -timeout 0 -fuzz="${{ matrix.target.test }}" -fuzztime="${FUZZ_TIME}" "${{ matrix.target.package }}" + go test -parallel=1 -timeout 0 -fuzz="${{ matrix.target.test }}" -fuzztime="${FUZZ_TIME}" "${{ matrix.target.package }}" diff --git a/pkg/archive/fuzz_test.go b/pkg/archive/fuzz_test.go index 7ee4b9889..f0c47fa55 100644 --- a/pkg/archive/fuzz_test.go +++ b/pkg/archive/fuzz_test.go @@ -76,7 +76,7 @@ func FuzzExtractTar(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractTar(ctx, tmpDir, tmpFile.Name()) @@ -134,7 +134,7 @@ func FuzzExtractZip(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractZip(ctx, tmpDir, tmpFile.Name()) @@ -224,7 +224,7 @@ func FuzzExtractArchive(f *testing.F) { } tmpFile.Close() - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() cfg := malcontent.Config{} extractedDir, err := ExtractArchiveToTempDir(ctx, cfg, tmpFile.Name()) @@ -327,7 +327,7 @@ func FuzzExtractGzip(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractGzip(ctx, tmpDir, tmpFile.Name()) @@ -374,7 +374,7 @@ func FuzzExtractBz2(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractBz2(ctx, tmpDir, tmpFile.Name()) @@ -429,7 +429,7 @@ func FuzzExtractZstd(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractZstd(ctx, tmpDir, tmpFile.Name()) @@ -486,7 +486,7 @@ func FuzzExtractZlib(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractZlib(ctx, tmpDir, tmpFile.Name()) @@ -543,7 +543,7 @@ func FuzzExtractRPM(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractRPM(ctx, tmpDir, tmpFile.Name()) @@ -597,7 +597,7 @@ func FuzzExtractDeb(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractDeb(ctx, tmpDir, tmpFile.Name()) @@ -641,7 +641,7 @@ func FuzzExtractUPX(f *testing.F) { } defer os.RemoveAll(tmpDir) - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() _ = ExtractUPX(ctx, tmpDir, tmpFile.Name()) diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go index 1e7adc41e..63d18efbd 100644 --- a/pkg/compile/compile.go +++ b/pkg/compile/compile.go @@ -287,18 +287,24 @@ func loadCachedRules(cacheFile string) (*yarax.Rules, error) { // saveCachedRules saves rules to a local file. func saveCachedRules(compiledRules *yarax.Rules, cacheFile string) error { - tmpFile := cacheFile + ".tmp" - f, err := os.OpenFile(tmpFile, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) + cacheDir := filepath.Dir(cacheFile) + f, err := os.CreateTemp(cacheDir, ".rules-*.cache.tmp") if err != nil { return fmt.Errorf("create cache file: %w", err) } - defer f.Close() + tmpFile := f.Name() if _, err := compiledRules.WriteTo(f); err != nil { + f.Close() os.Remove(tmpFile) return fmt.Errorf("write rules to cache: %w", err) } + if err := f.Close(); err != nil { + os.Remove(tmpFile) + return fmt.Errorf("close cache file: %w", err) + } + if err := os.Rename(tmpFile, cacheFile); err != nil { os.Remove(tmpFile) return fmt.Errorf("rename cache file: %w", err) diff --git a/pkg/programkind/fuzz_test.go b/pkg/programkind/fuzz_test.go index de5770a45..af6c8e847 100644 --- a/pkg/programkind/fuzz_test.go +++ b/pkg/programkind/fuzz_test.go @@ -85,7 +85,7 @@ func FuzzFile(f *testing.F) { } tmpFile.Close() - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() ft, err := File(ctx, tmpFile.Name())