import glibc-2.28-225.el8_8.6

11 months ago · f2f7ddc537
parent 105f0d4793
commit f2f7ddc537
5 changed files with 1702 additions and 1 deletions
--- a/SOURCES/glibc-RHEL-2422.patch
+++ b/SOURCES/glibc-RHEL-2422.patch
@ -0,0 +1,347 @@
+Avoid UAF in getcanonname (CVE-2023-4806)
+
+When an NSS plugin only implements the _gethostbyname2_r and
+_getcanonname_r callbacks, getaddrinfo could use memory that was freed
+during tmpbuf resizing, through h_name in a previous query response.
+
+The backing store for res->at->name when doing a query with
+gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
+gethosts during the query.  For AF_INET6 lookup with AI_ALL |
+AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
+for a v4 lookup.  In this case, if the first call reallocates tmpbuf
+enough number of times, resulting in a malloc, th->h_name (that
+res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
+Now if the second call to gethosts also causes the plugin callback to
+return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
+reference in res->at->name.  This then gets dereferenced in the
+getcanonname_r plugin call, resulting in the use after free.
+
+Fix this by copying h_name over and freeing it at the end.  This
+resolves BZ #30843, which is assigned CVE-2023-4806.  This is a minimal
+RHEL-8-specific fix.  Test case differences from upstream:
+
+- The test module needs to explicitly link against libnss_files on
+  RHEL-8; upstream libnss_files is built into libc.so.
+
+- Test module code was adapted to not use the upstream NSS module
+  convenience macros.
+
+This change is adapted from the following commit from upstream:
+
+commit 973fe93a5675c42798b2161c6f29c01b0e243994
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Fri Sep 15 13:51:12 2023 -0400
+
+    getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
+    
+    When an NSS plugin only implements the _gethostbyname2_r and
+    _getcanonname_r callbacks, getaddrinfo could use memory that was freed
+    during tmpbuf resizing, through h_name in a previous query response.
+    
+    The backing store for res->at->name when doing a query with
+    gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
+    gethosts during the query.  For AF_INET6 lookup with AI_ALL |
+    AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
+    for a v4 lookup.  In this case, if the first call reallocates tmpbuf
+    enough number of times, resulting in a malloc, th->h_name (that
+    res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
+    Now if the second call to gethosts also causes the plugin callback to
+    return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
+    reference in res->at->name.  This then gets dereferenced in the
+    getcanonname_r plugin call, resulting in the use after free.
+    
+    Fix this by copying h_name over and freeing it at the end.  This
+    resolves BZ #30843, which is assigned CVE-2023-4806.
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/nss/Makefile b/nss/Makefile
+index cfb255c6e7a3a4de..5829a2539306ddb5 100644
+--- a/nss/Makefile
+++ b/nss/Makefile
+@@ -66,7 +66,8 @@ xtests			= bug-erange
+ tests-container = \
+ 			  tst-nss-db-endpwent \
+ 			  tst-nss-db-endgrent \
+-			  tst-nss-gai-actions
+			  tst-nss-gai-actions \
+			  tst-nss-gai-hv2-canonname
+ 
+ # Tests which need libdl
+ ifeq (yes,$(build-shared))
+@@ -132,7 +133,8 @@ routines                += $(libnss_files-routines)
+ static-only-routines    += $(libnss_files-routines)
+ tests-static		+= tst-nss-static
+ endif
+-extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os
+extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
+			   nss_test_gai_hv2_canonname.os
+ 
+ include ../Rules
+ 
+@@ -169,12 +171,17 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
+ libof-nss_test1 = extramodules
+ libof-nss_test2 = extramodules
+ libof-nss_test_errno = extramodules
+libof-nss_test_gai_hv2_canonname = extramodules
+ $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
+ 	$(build-module)
+ $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
+ 	$(build-module)
+ $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
+ 	$(build-module)
+$(objpfx)/libnss_test_gai_hv2_canonname.so: \
+  $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) \
+  $(objpfx)/libnss_files.so
+	$(build-module)
+ $(objpfx)nss_test2.os : nss_test1.c
+ ifdef libnss_test1.so-version
+ $(objpfx)/libnss_test1.so$(libnss_test1.so-version): $(objpfx)/libnss_test1.so
+@@ -187,10 +194,14 @@ endif
+ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
+   $(objpfx)/libnss_test_errno.so
+ 	$(make-link)
+$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
+  $(objpfx)/libnss_test_gai_hv2_canonname.so
+	$(make-link)
+ $(patsubst %,$(objpfx)%.out,$(tests)) : \
+ 	$(objpfx)/libnss_test1.so$(libnss_test1.so-version) \
+ 	$(objpfx)/libnss_test2.so$(libnss_test2.so-version) \
+-	$(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
+	$(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
+	$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
+ 
+ ifeq (yes,$(have-thread-library))
+ $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
+diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
+new file mode 100644
+index 0000000000000000..4195d7d24fdd5f6d
+--- /dev/null
+++ b/nss/nss_test_gai_hv2_canonname.c
+@@ -0,0 +1,64 @@
+/* NSS service provider that only provides gethostbyname2_r.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <netdb.h>
+#include <nss.h>
+#include <stdlib.h>
+#include <string.h>
+#include "nss/tst-nss-gai-hv2-canonname.h"
+
+/* Catch misnamed and functions.  */
+#pragma GCC diagnostic error "-Wmissing-prototypes"
+
+extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
+						    struct hostent *, char *,
+						    size_t, int *, int *);
+
+enum nss_status
+_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *, int, struct hostent
+					      *, char *, size_t, int *, int *);
+
+enum nss_status
+_nss_test_gai_hv2_canonname_getcanonname_r (const char *, char *, size_t, char
+					    **, int *, int *);
+
+enum nss_status
+_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
+					      struct hostent *result,
+					      char *buffer, size_t buflen,
+					      int *errnop, int *herrnop)
+{
+  return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
+				      herrnop);
+}
+
+enum nss_status
+_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
+					    size_t buflen, char **result,
+					    int *errnop, int *h_errnop)
+{
+  /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
+     the test.  */
+  if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
+      || buflen < sizeof (QUERYNAME))
+    abort ();
+
+  strncpy (buffer, name, buflen);
+  *result = buffer;
+  return NSS_STATUS_SUCCESS;
+}
+diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
+new file mode 100644
+index 0000000000000000..d5f10c07d6a90773
+--- /dev/null
+++ b/nss/tst-nss-gai-hv2-canonname.c
+@@ -0,0 +1,63 @@
+/* Test NSS query path for plugins that only implement gethostbyname2
+   (#30843).
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <nss.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/xstdio.h>
+#include "nss/tst-nss-gai-hv2-canonname.h"
+
+#define PREPARE do_prepare
+
+static void do_prepare (int a, char **av)
+{
+  FILE *hosts = xfopen ("/etc/hosts", "w");
+  for (unsigned i = 2; i < 255; i++)
+    {
+      fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
+      fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
+    }
+  xfclose (hosts);
+}
+
+static int
+do_test (void)
+{
+  __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
+
+  struct addrinfo hints = {};
+  struct addrinfo *result = NULL;
+
+  hints.ai_family = AF_INET6;
+  hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
+
+  int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
+
+  if (ret != 0)
+    FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
+
+  TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
+
+  freeaddrinfo(result);
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
+new file mode 100644
+index 0000000000000000..14f2a9cb0867dff9
+--- /dev/null
+++ b/nss/tst-nss-gai-hv2-canonname.h
+@@ -0,0 +1 @@
+#define QUERYNAME "test.example.com"
+diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
+new file mode 100644
+index 0000000000000000..e69de29bb2d1d643
+diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
+new file mode 100644
+index 0000000000000000..31848b4a28524af6
+--- /dev/null
+++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
+@@ -0,0 +1,2 @@
+cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
+su
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 4fa963644af8b7d5..46046504a6858f2e 100644
+--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
+@@ -233,7 +233,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+ 	}
+       array[i].next = array + i + 1;
+     }
+-  array[0].name = h->h_name;
+   array[count - 1].next = NULL;
+ 
+   *result = array;
+@@ -287,6 +286,18 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+ 	}								      \
+       *pat = addrmem;							      \
+ 									      \
+      /* Store h_name so that it survives accidental deallocation when	      \
+	 gethosts is called again and tmpbuf gets reallocated.  */	      \
+      if (h_name == NULL && th.h_name != NULL)				      \
+        {								      \
+	  h_name = __strdup (th.h_name);				      \
+	  if (h_name == NULL)						      \
+	    {								      \
+	      __resolv_context_put (res_ctx);				      \
+	      result = -EAI_SYSTEM;					      \
+	      goto free_and_return;					      \
+	    }								      \
+	}								      \
+       if (localcanon != NULL && canon == NULL)				      \
+ 	{								      \
+ 	  canonbuf = __strdup (localcanon);				      \
+@@ -323,15 +334,15 @@ typedef enum nss_status (*nss_getcanonname_r)
+    memory allocation failure.  The returned string is allocated on the
+    heap; the caller has to free it.  */
+ static char *
+-getcanonname (service_user *nip, struct gaih_addrtuple *at, const char *name)
+getcanonname (service_user *nip, const char *hname, const char *name)
+ {
+   nss_getcanonname_r cfct = __nss_lookup_function (nip, "getcanonname_r");
+   char *s = (char *) name;
+   if (cfct != NULL)
+     {
+       char buf[256];
+-      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
+-			      &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
+      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
+			      &h_errno)) != NSS_STATUS_SUCCESS)
+ 	/* If the canonical name cannot be determined, use the passed
+ 	   string.  */
+ 	s = (char *) name;
+@@ -349,6 +360,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+   struct gaih_addrtuple *at = NULL;
+   bool got_ipv6 = false;
+   const char *canon = NULL;
+  char *h_name = NULL;
+   const char *orig_name = name;
+ 
+   /* Reserve stack memory for the scratch buffer in the getaddrinfo
+@@ -919,7 +931,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 			  if ((req->ai_flags & AI_CANONNAME) != 0
+ 			      && canon == NULL)
+ 			    {
+-			      canonbuf = getcanonname (nip, at, name);
+			      canonbuf = getcanonname (nip, h_name, name);
+ 			      if (canonbuf == NULL)
+ 				{
+ 				  __resolv_context_enable_inet6
+@@ -1169,6 +1181,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+     free ((char *) name);
+   free (addrmem);
+   free (canonbuf);
+  free (h_name);
+ 
+   return result;
+ }
--- a/SOURCES/glibc-RHEL-2434.patch
+++ b/SOURCES/glibc-RHEL-2434.patch
@ -0,0 +1,987 @@
+commit 1c37b8022e8763fedbb3f79c02e05c6acfe5a215
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Thu Mar 17 11:44:34 2022 +0530
+
+    Simplify allocations and fix merge and continue actions [BZ #28931]
+    
+    Allocations for address tuples is currently a bit confusing because of
+    the pointer chasing through PAT, making it hard to observe the sequence
+    in which allocations have been made.  Narrow scope of the pointer
+    chasing through PAT so that it is only used where necessary.
+    
+    This also tightens actions behaviour with the hosts database in
+    getaddrinfo to comply with the manual text.  The "continue" action
+    discards previous results and the "merge" action results in an immedate
+    lookup failure.  Consequently, chaining of allocations across modules is
+    no longer necessary, thus opening up cleanup opportunities.
+    
+    A test has been added that checks some combinations to ensure that they
+    work correctly.
+    
+    Resolves: BZ #28931
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    Reviewed-by: DJ Delorie <dj@redhat.com>
+
+Conflicts:
+	nss/Makefile
+	(Missing test cases)
+	sysdeps/posix/getaddrinfo.c
+	(RES_USE_INET6 still present in RHEL-8 and NSS module traversal rewrite
+	not in RHEL-8)
+	nss/tst-nss-gai-actions.c
+	(Adapted SUCCESS=merge result to RHEL-8)
+
+diff --git a/nss/Makefile b/nss/Makefile
+index e8a7d9c7b3cefcdf..cfb255c6e7a3a4de 100644
+--- a/nss/Makefile
+++ b/nss/Makefile
+@@ -65,7 +65,8 @@ xtests			= bug-erange
+ 
+ tests-container = \
+ 			  tst-nss-db-endpwent \
+-			  tst-nss-db-endgrent
+			  tst-nss-db-endgrent \
+			  tst-nss-gai-actions
+ 
+ # Tests which need libdl
+ ifeq (yes,$(build-shared))
+diff --git a/nss/tst-nss-gai-actions.c b/nss/tst-nss-gai-actions.c
+new file mode 100644
+index 0000000000000000..c35e752896eceb2a
+--- /dev/null
+++ b/nss/tst-nss-gai-actions.c
+@@ -0,0 +1,156 @@
+/* Test continue and merge NSS actions for getaddrinfo.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <dlfcn.h>
+#include <gnu/lib-names.h>
+#include <nss.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <support/check.h>
+#include <support/format_nss.h>
+#include <support/support.h>
+#include <support/xstdio.h>
+#include <support/xunistd.h>
+
+enum
+{
+  ACTION_MERGE = 0,
+  ACTION_CONTINUE,
+};
+
+static const char *
+family_str (int family)
+{
+  switch (family)
+    {
+    case AF_UNSPEC:
+      return "AF_UNSPEC";
+    case AF_INET:
+      return "AF_INET";
+    default:
+      __builtin_unreachable ();
+    }
+}
+
+static const char *
+action_str (int action)
+{
+  switch (action)
+    {
+    case ACTION_MERGE:
+      return "merge";
+    case ACTION_CONTINUE:
+      return "continue";
+    default:
+      __builtin_unreachable ();
+    }
+}
+
+static void
+do_one_test (int action, int family, bool canon)
+{
+  struct addrinfo hints =
+    {
+      .ai_family = family,
+    };
+
+  struct addrinfo *ai;
+
+  if (canon)
+    hints.ai_flags = AI_CANONNAME;
+
+  printf ("***** Testing \"files [SUCCESS=%s] files\" for family %s, %s\n",
+	  action_str (action), family_str (family),
+	  canon ? "AI_CANONNAME" : "");
+
+  int ret = getaddrinfo ("example.org", "80", &hints, &ai);
+
+  switch (action)
+    {
+    case ACTION_MERGE:
+      if (ret == 0)
+	{
+	  if (hints.ai_flags == 0 && hints.ai_family == AF_INET)
+	    {
+	      printf ("*****      RHEL-8 limitation: "
+		      "NSS modules infrastructure incorrectly allows MERGE\n");
+	      return;
+	    }
+
+	  char *formatted = support_format_addrinfo (ai, ret);
+
+	  printf ("merge unexpectedly succeeded:\n %s\n", formatted);
+	  support_record_failure ();
+	  free (formatted);
+	}
+      else
+	return;
+    case ACTION_CONTINUE:
+	{
+	  char *formatted = support_format_addrinfo (ai, ret);
+
+	  /* Verify that the result appears exactly once.  */
+	  const char *expected = "address: STREAM/TCP 192.0.0.1 80\n"
+	    "address: DGRAM/UDP 192.0.0.1 80\n"
+	    "address: RAW/IP 192.0.0.1 80\n";
+
+	  const char *contains = strstr (formatted, expected);
+	  const char *contains2 = NULL;
+
+	  if (contains != NULL)
+	    contains2 = strstr (contains + strlen (expected), expected);
+
+	  if (contains == NULL || contains2 != NULL)
+	    {
+	      printf ("continue failed:\n%s\n", formatted);
+	      support_record_failure ();
+	    }
+
+	  free (formatted);
+	  break;
+	}
+    default:
+      __builtin_unreachable ();
+    }
+}
+
+static void
+do_one_test_set (int action)
+{
+  char buf[32];
+
+  snprintf (buf, sizeof (buf), "files [SUCCESS=%s] files",
+	    action_str (action));
+  __nss_configure_lookup ("hosts", buf);
+
+  do_one_test (action, AF_UNSPEC, false);
+  do_one_test (action, AF_INET, false);
+  do_one_test (action, AF_INET, true);
+}
+
+static int
+do_test (void)
+{
+  do_one_test_set (ACTION_CONTINUE);
+  do_one_test_set (ACTION_MERGE);
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/nss/tst-nss-gai-actions.root/etc/host.conf b/nss/tst-nss-gai-actions.root/etc/host.conf
+new file mode 100644
+index 0000000000000000..d1a59f73a90f2993
+--- /dev/null
+++ b/nss/tst-nss-gai-actions.root/etc/host.conf
+@@ -0,0 +1 @@
+multi on
+diff --git a/nss/tst-nss-gai-actions.root/etc/hosts b/nss/tst-nss-gai-actions.root/etc/hosts
+new file mode 100644
+index 0000000000000000..50ce9774dc2c21d9
+--- /dev/null
+++ b/nss/tst-nss-gai-actions.root/etc/hosts
+@@ -0,0 +1,508 @@
+192.0.0.1	example.org
+192.0.0.2	example.org
+192.0.0.3	example.org
+192.0.0.4	example.org
+192.0.0.5	example.org
+192.0.0.6	example.org
+192.0.0.7	example.org
+192.0.0.8	example.org
+192.0.0.9	example.org
+192.0.0.10	example.org
+192.0.0.11	example.org
+192.0.0.12	example.org
+192.0.0.13	example.org
+192.0.0.14	example.org
+192.0.0.15	example.org
+192.0.0.16	example.org
+192.0.0.17	example.org
+192.0.0.18	example.org
+192.0.0.19	example.org
+192.0.0.20	example.org
+192.0.0.21	example.org
+192.0.0.22	example.org
+192.0.0.23	example.org
+192.0.0.24	example.org
+192.0.0.25	example.org
+192.0.0.26	example.org
+192.0.0.27	example.org
+192.0.0.28	example.org
+192.0.0.29	example.org
+192.0.0.30	example.org
+192.0.0.31	example.org
+192.0.0.32	example.org
+192.0.0.33	example.org
+192.0.0.34	example.org
+192.0.0.35	example.org
+192.0.0.36	example.org
+192.0.0.37	example.org
+192.0.0.38	example.org
+192.0.0.39	example.org
+192.0.0.40	example.org
+192.0.0.41	example.org
+192.0.0.42	example.org
+192.0.0.43	example.org
+192.0.0.44	example.org
+192.0.0.45	example.org
+192.0.0.46	example.org
+192.0.0.47	example.org
+192.0.0.48	example.org
+192.0.0.49	example.org
+192.0.0.50	example.org
+192.0.0.51	example.org
+192.0.0.52	example.org
+192.0.0.53	example.org
+192.0.0.54	example.org
+192.0.0.55	example.org
+192.0.0.56	example.org
+192.0.0.57	example.org
+192.0.0.58	example.org
+192.0.0.59	example.org
+192.0.0.60	example.org
+192.0.0.61	example.org
+192.0.0.62	example.org
+192.0.0.63	example.org
+192.0.0.64	example.org
+192.0.0.65	example.org
+192.0.0.66	example.org
+192.0.0.67	example.org
+192.0.0.68	example.org
+192.0.0.69	example.org
+192.0.0.70	example.org
+192.0.0.71	example.org
+192.0.0.72	example.org
+192.0.0.73	example.org
+192.0.0.74	example.org
+192.0.0.75	example.org
+192.0.0.76	example.org
+192.0.0.77	example.org
+192.0.0.78	example.org
+192.0.0.79	example.org
+192.0.0.80	example.org
+192.0.0.81	example.org
+192.0.0.82	example.org
+192.0.0.83	example.org
+192.0.0.84	example.org
+192.0.0.85	example.org
+192.0.0.86	example.org
+192.0.0.87	example.org
+192.0.0.88	example.org
+192.0.0.89	example.org
+192.0.0.90	example.org
+192.0.0.91	example.org
+192.0.0.92	example.org
+192.0.0.93	example.org
+192.0.0.94	example.org
+192.0.0.95	example.org
+192.0.0.96	example.org
+192.0.0.97	example.org
+192.0.0.98	example.org
+192.0.0.99	example.org
+192.0.0.100	example.org
+192.0.0.101	example.org
+192.0.0.102	example.org
+192.0.0.103	example.org
+192.0.0.104	example.org
+192.0.0.105	example.org
+192.0.0.106	example.org
+192.0.0.107	example.org
+192.0.0.108	example.org
+192.0.0.109	example.org
+192.0.0.110	example.org
+192.0.0.111	example.org
+192.0.0.112	example.org
+192.0.0.113	example.org
+192.0.0.114	example.org
+192.0.0.115	example.org
+192.0.0.116	example.org
+192.0.0.117	example.org
+192.0.0.118	example.org
+192.0.0.119	example.org
+192.0.0.120	example.org
+192.0.0.121	example.org
+192.0.0.122	example.org
+192.0.0.123	example.org
+192.0.0.124	example.org
+192.0.0.125	example.org
+192.0.0.126	example.org
+192.0.0.127	example.org
+192.0.0.128	example.org
+192.0.0.129	example.org
+192.0.0.130	example.org
+192.0.0.131	example.org
+192.0.0.132	example.org
+192.0.0.133	example.org
+192.0.0.134	example.org
+192.0.0.135	example.org
+192.0.0.136	example.org
+192.0.0.137	example.org
+192.0.0.138	example.org
+192.0.0.139	example.org
+192.0.0.140	example.org
+192.0.0.141	example.org
+192.0.0.142	example.org
+192.0.0.143	example.org
+192.0.0.144	example.org
+192.0.0.145	example.org
+192.0.0.146	example.org
+192.0.0.147	example.org
+192.0.0.148	example.org
+192.0.0.149	example.org
+192.0.0.150	example.org
+192.0.0.151	example.org
+192.0.0.152	example.org
+192.0.0.153	example.org
+192.0.0.154	example.org
+192.0.0.155	example.org
+192.0.0.156	example.org
+192.0.0.157	example.org
+192.0.0.158	example.org
+192.0.0.159	example.org
+192.0.0.160	example.org
+192.0.0.161	example.org
+192.0.0.162	example.org
+192.0.0.163	example.org
+192.0.0.164	example.org
+192.0.0.165	example.org
+192.0.0.166	example.org
+192.0.0.167	example.org
+192.0.0.168	example.org
+192.0.0.169	example.org
+192.0.0.170	example.org
+192.0.0.171	example.org
+192.0.0.172	example.org
+192.0.0.173	example.org
+192.0.0.174	example.org
+192.0.0.175	example.org
+192.0.0.176	example.org
+192.0.0.177	example.org
+192.0.0.178	example.org
+192.0.0.179	example.org
+192.0.0.180	example.org
+192.0.0.181	example.org
+192.0.0.182	example.org
+192.0.0.183	example.org
+192.0.0.184	example.org
+192.0.0.185	example.org
+192.0.0.186	example.org
+192.0.0.187	example.org
+192.0.0.188	example.org
+192.0.0.189	example.org
+192.0.0.190	example.org
+192.0.0.191	example.org
+192.0.0.192	example.org
+192.0.0.193	example.org
+192.0.0.194	example.org
+192.0.0.195	example.org
+192.0.0.196	example.org
+192.0.0.197	example.org
+192.0.0.198	example.org
+192.0.0.199	example.org
+192.0.0.200	example.org
+192.0.0.201	example.org
+192.0.0.202	example.org
+192.0.0.203	example.org
+192.0.0.204	example.org
+192.0.0.205	example.org
+192.0.0.206	example.org
+192.0.0.207	example.org
+192.0.0.208	example.org
+192.0.0.209	example.org
+192.0.0.210	example.org
+192.0.0.211	example.org
+192.0.0.212	example.org
+192.0.0.213	example.org
+192.0.0.214	example.org
+192.0.0.215	example.org
+192.0.0.216	example.org
+192.0.0.217	example.org
+192.0.0.218	example.org
+192.0.0.219	example.org
+192.0.0.220	example.org
+192.0.0.221	example.org
+192.0.0.222	example.org
+192.0.0.223	example.org
+192.0.0.224	example.org
+192.0.0.225	example.org
+192.0.0.226	example.org
+192.0.0.227	example.org
+192.0.0.228	example.org
+192.0.0.229	example.org
+192.0.0.230	example.org
+192.0.0.231	example.org
+192.0.0.232	example.org
+192.0.0.233	example.org
+192.0.0.234	example.org
+192.0.0.235	example.org
+192.0.0.236	example.org
+192.0.0.237	example.org
+192.0.0.238	example.org
+192.0.0.239	example.org
+192.0.0.240	example.org
+192.0.0.241	example.org
+192.0.0.242	example.org
+192.0.0.243	example.org
+192.0.0.244	example.org
+192.0.0.245	example.org
+192.0.0.246	example.org
+192.0.0.247	example.org
+192.0.0.248	example.org
+192.0.0.249	example.org
+192.0.0.250	example.org
+192.0.0.251	example.org
+192.0.0.252	example.org
+192.0.0.253	example.org
+192.0.0.254	example.org
+192.0.1.1	example.org
+192.0.1.2	example.org
+192.0.1.3	example.org
+192.0.1.4	example.org
+192.0.1.5	example.org
+192.0.1.6	example.org
+192.0.1.7	example.org
+192.0.1.8	example.org
+192.0.1.9	example.org
+192.0.1.10	example.org
+192.0.1.11	example.org
+192.0.1.12	example.org
+192.0.1.13	example.org
+192.0.1.14	example.org
+192.0.1.15	example.org
+192.0.1.16	example.org
+192.0.1.17	example.org
+192.0.1.18	example.org
+192.0.1.19	example.org
+192.0.1.20	example.org
+192.0.1.21	example.org
+192.0.1.22	example.org
+192.0.1.23	example.org
+192.0.1.24	example.org
+192.0.1.25	example.org
+192.0.1.26	example.org
+192.0.1.27	example.org
+192.0.1.28	example.org
+192.0.1.29	example.org
+192.0.1.30	example.org
+192.0.1.31	example.org
+192.0.1.32	example.org
+192.0.1.33	example.org
+192.0.1.34	example.org
+192.0.1.35	example.org
+192.0.1.36	example.org
+192.0.1.37	example.org
+192.0.1.38	example.org
+192.0.1.39	example.org
+192.0.1.40	example.org
+192.0.1.41	example.org
+192.0.1.42	example.org
+192.0.1.43	example.org
+192.0.1.44	example.org
+192.0.1.45	example.org
+192.0.1.46	example.org
+192.0.1.47	example.org
+192.0.1.48	example.org
+192.0.1.49	example.org
+192.0.1.50	example.org
+192.0.1.51	example.org
+192.0.1.52	example.org
+192.0.1.53	example.org
+192.0.1.54	example.org
+192.0.1.55	example.org
+192.0.1.56	example.org
+192.0.1.57	example.org
+192.0.1.58	example.org
+192.0.1.59	example.org
+192.0.1.60	example.org
+192.0.1.61	example.org
+192.0.1.62	example.org
+192.0.1.63	example.org
+192.0.1.64	example.org
+192.0.1.65	example.org
+192.0.1.66	example.org
+192.0.1.67	example.org
+192.0.1.68	example.org
+192.0.1.69	example.org
+192.0.1.70	example.org
+192.0.1.71	example.org
+192.0.1.72	example.org
+192.0.1.73	example.org
+192.0.1.74	example.org
+192.0.1.75	example.org
+192.0.1.76	example.org
+192.0.1.77	example.org
+192.0.1.78	example.org
+192.0.1.79	example.org
+192.0.1.80	example.org
+192.0.1.81	example.org
+192.0.1.82	example.org
+192.0.1.83	example.org
+192.0.1.84	example.org
+192.0.1.85	example.org
+192.0.1.86	example.org
+192.0.1.87	example.org
+192.0.1.88	example.org
+192.0.1.89	example.org
+192.0.1.90	example.org
+192.0.1.91	example.org
+192.0.1.92	example.org
+192.0.1.93	example.org
+192.0.1.94	example.org
+192.0.1.95	example.org
+192.0.1.96	example.org
+192.0.1.97	example.org
+192.0.1.98	example.org
+192.0.1.99	example.org
+192.0.1.100	example.org
+192.0.1.101	example.org
+192.0.1.102	example.org
+192.0.1.103	example.org
+192.0.1.104	example.org
+192.0.1.105	example.org
+192.0.1.106	example.org
+192.0.1.107	example.org
+192.0.1.108	example.org
+192.0.1.109	example.org
+192.0.1.110	example.org
+192.0.1.111	example.org
+192.0.1.112	example.org
+192.0.1.113	example.org
+192.0.1.114	example.org
+192.0.1.115	example.org
+192.0.1.116	example.org
+192.0.1.117	example.org
+192.0.1.118	example.org
+192.0.1.119	example.org
+192.0.1.120	example.org
+192.0.1.121	example.org
+192.0.1.122	example.org
+192.0.1.123	example.org
+192.0.1.124	example.org
+192.0.1.125	example.org
+192.0.1.126	example.org
+192.0.1.127	example.org
+192.0.1.128	example.org
+192.0.1.129	example.org
+192.0.1.130	example.org
+192.0.1.131	example.org
+192.0.1.132	example.org
+192.0.1.133	example.org
+192.0.1.134	example.org
+192.0.1.135	example.org
+192.0.1.136	example.org
+192.0.1.137	example.org
+192.0.1.138	example.org
+192.0.1.139	example.org
+192.0.1.140	example.org
+192.0.1.141	example.org
+192.0.1.142	example.org
+192.0.1.143	example.org
+192.0.1.144	example.org
+192.0.1.145	example.org
+192.0.1.146	example.org
+192.0.1.147	example.org
+192.0.1.148	example.org
+192.0.1.149	example.org
+192.0.1.150	example.org
+192.0.1.151	example.org
+192.0.1.152	example.org
+192.0.1.153	example.org
+192.0.1.154	example.org
+192.0.1.155	example.org
+192.0.1.156	example.org
+192.0.1.157	example.org
+192.0.1.158	example.org
+192.0.1.159	example.org
+192.0.1.160	example.org
+192.0.1.161	example.org
+192.0.1.162	example.org
+192.0.1.163	example.org
+192.0.1.164	example.org
+192.0.1.165	example.org
+192.0.1.166	example.org
+192.0.1.167	example.org
+192.0.1.168	example.org
+192.0.1.169	example.org
+192.0.1.170	example.org
+192.0.1.171	example.org
+192.0.1.172	example.org
+192.0.1.173	example.org
+192.0.1.174	example.org
+192.0.1.175	example.org
+192.0.1.176	example.org
+192.0.1.177	example.org
+192.0.1.178	example.org
+192.0.1.179	example.org
+192.0.1.180	example.org
+192.0.1.181	example.org
+192.0.1.182	example.org
+192.0.1.183	example.org
+192.0.1.184	example.org
+192.0.1.185	example.org
+192.0.1.186	example.org
+192.0.1.187	example.org
+192.0.1.188	example.org
+192.0.1.189	example.org
+192.0.1.190	example.org
+192.0.1.191	example.org
+192.0.1.192	example.org
+192.0.1.193	example.org
+192.0.1.194	example.org
+192.0.1.195	example.org
+192.0.1.196	example.org
+192.0.1.197	example.org
+192.0.1.198	example.org
+192.0.1.199	example.org
+192.0.1.200	example.org
+192.0.1.201	example.org
+192.0.1.202	example.org
+192.0.1.203	example.org
+192.0.1.204	example.org
+192.0.1.205	example.org
+192.0.1.206	example.org
+192.0.1.207	example.org
+192.0.1.208	example.org
+192.0.1.209	example.org
+192.0.1.210	example.org
+192.0.1.211	example.org
+192.0.1.212	example.org
+192.0.1.213	example.org
+192.0.1.214	example.org
+192.0.1.215	example.org
+192.0.1.216	example.org
+192.0.1.217	example.org
+192.0.1.218	example.org
+192.0.1.219	example.org
+192.0.1.220	example.org
+192.0.1.221	example.org
+192.0.1.222	example.org
+192.0.1.223	example.org
+192.0.1.224	example.org
+192.0.1.225	example.org
+192.0.1.226	example.org
+192.0.1.227	example.org
+192.0.1.228	example.org
+192.0.1.229	example.org
+192.0.1.230	example.org
+192.0.1.231	example.org
+192.0.1.232	example.org
+192.0.1.233	example.org
+192.0.1.234	example.org
+192.0.1.235	example.org
+192.0.1.236	example.org
+192.0.1.237	example.org
+192.0.1.238	example.org
+192.0.1.239	example.org
+192.0.1.240	example.org
+192.0.1.241	example.org
+192.0.1.242	example.org
+192.0.1.243	example.org
+192.0.1.244	example.org
+192.0.1.245	example.org
+192.0.1.246	example.org
+192.0.1.247	example.org
+192.0.1.248	example.org
+192.0.1.249	example.org
+192.0.1.250	example.org
+192.0.1.251	example.org
+192.0.1.252	example.org
+192.0.1.253	example.org
+192.0.1.254	example.org
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index fae3dea81f19dba6..4fa963644af8b7d5 100644
+--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
+@@ -474,11 +474,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+   if (name != NULL)
+     {
+-      at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
+-      at->family = AF_UNSPEC;
+-      at->scopeid = 0;
+-      at->next = NULL;
+-
+       if (req->ai_flags & AI_IDN)
+ 	{
+ 	  char *out;
+@@ -489,13 +484,21 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  malloc_name = true;
+ 	}
+ 
+-      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
+      uint32_t addr[4];
+      if (__inet_aton_exact (name, (struct in_addr *) addr) != 0)
+ 	{
+	  at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
+	  at->scopeid = 0;
+	  at->next = NULL;
+
+ 	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+-	    at->family = AF_INET;
+	    {
+	      memcpy (at->addr, addr, sizeof (at->addr));
+	      at->family = AF_INET;
+	    }
+ 	  else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
+ 	    {
+-	      at->addr[3] = at->addr[0];
+	      at->addr[3] = addr[0];
+ 	      at->addr[2] = htonl (0xffff);
+ 	      at->addr[1] = 0;
+ 	      at->addr[0] = 0;
+@@ -509,49 +512,62 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 	  if (req->ai_flags & AI_CANONNAME)
+ 	    canon = name;
+
+	  goto process_list;
+ 	}
+-      else if (at->family == AF_UNSPEC)
+
+      char *scope_delim = strchr (name, SCOPE_DELIMITER);
+      int e;
+
+      if (scope_delim == NULL)
+	e = inet_pton (AF_INET6, name, addr);
+      else
+	e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr);
+
+      if (e > 0)
+ 	{
+-	  char *scope_delim = strchr (name, SCOPE_DELIMITER);
+-	  int e;
+-	  if (scope_delim == NULL)
+-	    e = inet_pton (AF_INET6, name, at->addr);
+	  at = alloca_account (sizeof (struct gaih_addrtuple),
+			       alloca_used);
+	  at->scopeid = 0;
+	  at->next = NULL;
+
+	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
+	    {
+	      memcpy (at->addr, addr, sizeof (at->addr));
+	      at->family = AF_INET6;
+	    }
+	  else if (req->ai_family == AF_INET
+		   && IN6_IS_ADDR_V4MAPPED (addr))
+	    {
+	      at->addr[0] = addr[3];
+	      at->addr[1] = addr[1];
+	      at->addr[2] = addr[2];
+	      at->addr[3] = addr[3];
+	      at->family = AF_INET;
+	    }
+ 	  else
+-	    e = __inet_pton_length (AF_INET6, name, scope_delim - name,
+-				    at->addr);
+-	  if (e > 0)
+ 	    {
+-	      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
+-		at->family = AF_INET6;
+-	      else if (req->ai_family == AF_INET
+-		       && IN6_IS_ADDR_V4MAPPED (at->addr))
+-		{
+-		  at->addr[0] = at->addr[3];
+-		  at->family = AF_INET;
+-		}
+-	      else
+-		{
+-		  result = -EAI_ADDRFAMILY;
+-		  goto free_and_return;
+-		}
+-
+-	      if (scope_delim != NULL
+-		  && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
+-					   scope_delim + 1,
+-					   &at->scopeid) != 0)
+-		{
+-		  result = -EAI_NONAME;
+-		  goto free_and_return;
+-		}
+	      result = -EAI_ADDRFAMILY;
+	      goto free_and_return;
+	    }
+ 
+-	      if (req->ai_flags & AI_CANONNAME)
+-		canon = name;
+	  if (scope_delim != NULL
+	      && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
+				       scope_delim + 1,
+				       &at->scopeid) != 0)
+	    {
+	      result = -EAI_NONAME;
+	      goto free_and_return;
+ 	    }
+
+	  if (req->ai_flags & AI_CANONNAME)
+	    canon = name;
+
+	  goto process_list;
+ 	}
+ 
+-      if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
+      if ((req->ai_flags & AI_NUMERICHOST) == 0)
+ 	{
+-	  struct gaih_addrtuple **pat = &at;
+ 	  int no_data = 0;
+ 	  int no_inet6_data = 0;
+ 	  service_user *nip;
+@@ -560,6 +576,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  int no_more;
+ 	  struct resolv_context *res_ctx = NULL;
+ 	  bool res_enable_inet6 = false;
+	  bool do_merge = false;
+ 
+ 	  /* If we do not have to look for IPv6 addresses or the canonical
+ 	     name, use the simple, old functions, which do not support
+@@ -596,7 +613,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 			  result = -EAI_MEMORY;
+ 			  goto free_and_return;
+ 			}
+-		      *pat = addrmem;
+		      at = addrmem;
+ 		    }
+ 		  else
+ 		    {
+@@ -649,6 +666,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		    }
+ 
+ 		  struct gaih_addrtuple *addrfree = addrmem;
+		  struct gaih_addrtuple **pat = &at;
+
+ 		  for (int i = 0; i < air->naddrs; ++i)
+ 		    {
+ 		      socklen_t size = (air->family[i] == AF_INET
+@@ -712,12 +731,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  free (air);
+ 
+-		  if (at->family == AF_UNSPEC)
+-		    {
+-		      result = -EAI_NONAME;
+-		      goto free_and_return;
+-		    }
+-
+ 		  goto process_list;
+ 		}
+ 	      else if (err == 0)
+@@ -756,6 +769,22 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 	  while (!no_more)
+ 	    {
+	      /* Always start afresh; continue should discard previous results
+		 and the hosts database does not support merge.  */
+	      at = NULL;
+	      free (canonbuf);
+	      free (addrmem);
+	      canon = canonbuf = NULL;
+	      addrmem = NULL;
+	      got_ipv6 = false;
+
+	      if (do_merge)
+		{
+		  __set_h_errno (NETDB_INTERNAL);
+		  __set_errno (EBUSY);
+		  break;
+		}
+
+ 	      no_data = 0;
+ 	      nss_gethostbyname4_r fct4 = NULL;
+ 
+@@ -768,12 +797,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		{
+ 		  while (1)
+ 		    {
+-		      status = DL_CALL_FCT (fct4, (name, pat,
+		      status = DL_CALL_FCT (fct4, (name, &at,
+ 						   tmpbuf->data, tmpbuf->length,
+ 						   &errno, &h_errno,
+ 						   NULL));
+ 		      if (status == NSS_STATUS_SUCCESS)
+ 			break;
+		      /* gethostbyname4_r may write into AT, so reset it.  */
+		      at = NULL;
+ 		      if (status != NSS_STATUS_TRYAGAIN
+ 			  || errno != ERANGE || h_errno != NETDB_INTERNAL)
+ 			{
+@@ -800,7 +831,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		      no_data = 1;
+ 
+ 		      if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
+-			canon = (*pat)->name;
+			canon = at->name;
+
+		      struct gaih_addrtuple **pat = &at;
+ 
+ 		      while (*pat != NULL)
+ 			{
+@@ -852,6 +885,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  if (fct != NULL)
+ 		    {
+		      struct gaih_addrtuple **pat = &at;
+
+ 		      if (req->ai_family == AF_INET6
+ 			  || req->ai_family == AF_UNSPEC)
+ 			{
+@@ -927,6 +962,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	      if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
+ 		break;
+ 
+	      /* The hosts database does not support MERGE.  */
+	      if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
+		do_merge = true;
+
+ 	      if (nip->next == NULL)
+ 		no_more = -1;
+ 	      else
+@@ -960,7 +999,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	}
+ 
+     process_list:
+-      if (at->family == AF_UNSPEC)
+      if (at == NULL)
+ 	{
+ 	  result = -EAI_NONAME;
+ 	  goto free_and_return;
--- a/SOURCES/glibc-RHEL-3035.patch
+++ b/SOURCES/glibc-RHEL-3035.patch
@ -0,0 +1,157 @@
+This patch was developed under embargo and cannot reference an upstream
+commit. To find the associated commit please review the upstream git
+log for CVE-2023-4911 to identify the relevant commits.
+
+Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date:   Tue Sep 19 18:39:32 2023 -0400
+
+    tunables: Terminate if end of input is reached (CVE-2023-4911)
+    
+    The string parsing routine may end up writing beyond bounds of tunestr
+    if the input tunable string is malformed, of the form name=name=val.
+    This gets processed twice, first as name=name=val and next as name=val,
+    resulting in tunestr being name=name=val:name=val, thus overflowing
+    tunestr.
+    
+    Terminate the parsing loop at the first instance itself so that tunestr
+    does not overflow.
+    
+    This also fixes up tst-env-setuid-tunables to actually handle failures
+    correct and add new tests to validate the fix for this CVE.
+    
+    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Conflicts:
+	NEWS
+	(Dropped)
+	elf/tst-env-setuid-tunables.c
+	(Trivial conflict at HAVE_TUNABLES)
+
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 3c84809d44381241..2c878e08ea197b29 100644
+--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
+@@ -193,11 +193,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
+	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -257,9 +253,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+	break;
+
+      p += len + 1;
+     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
+ }
+ #endif
+ 
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 0b9b075c40598c6f..8b0861c4ad853040 100644
+--- a/elf/tst-env-setuid-tunables.c
+++ b/elf/tst-env-setuid-tunables.c
+@@ -52,6 +52,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
+  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -70,6 +72,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
+  "",
+   "",
+   "",
+   "",
+@@ -84,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
+  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
+  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
+    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
+	    off, val, resultstrings[off]);
+  else
+    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
+
+  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -117,21 +128,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
+      /* Special return code to make sure that the child executed all the way
+	 through.  */
+      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
+	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
+	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
+	    {
+	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
+	      support_record_failure ();
+	      continue;
+	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -139,9 +155,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
+	  if (WEXITSTATUS (status) != 42)
+	    {
+	      printf ("    [%d] child failed with status %d\n", i,
+		      WEXITSTATUS (status));
+	      support_record_failure ();
+	    }
+ 	}
+-      return ret;
+      return 0;
+     }
+ }
+ 
--- a/SOURCES/glibc-rh2234713.patch
+++ b/SOURCES/glibc-rh2234713.patch
@ -0,0 +1,187 @@
+commit bd77dd7e73e3530203be1c52c8a29d08270cb25d
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Wed Sep 13 14:10:56 2023 +0200
+
+    CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
+
+    Without passing alt_dns_packet_buffer, __res_context_search can only
+    store 2048 bytes (what fits into dns_packet_buffer).  However,
+    the function returns the total packet size, and the subsequent
+    DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
+    of the stack-allocated buffer.
+
+    Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
+    stub resolver option") and bug 30842.
+
+Conflicts:
+	resolv/nss_dns/dns-host.c
+	  (missing dns_packet_buffer cleanup downstream)
+
+diff --git a/resolv/Makefile b/resolv/Makefile
+index ab8ad49b5318ad41..4f4eaf060443c128 100644
+--- a/resolv/Makefile
+++ b/resolv/Makefile
+@@ -58,6 +58,7 @@ tests += \
+   tst-resolv-edns \
+   tst-resolv-network \
+   tst-resolv-noaaaa \
+  tst-resolv-noaaaa-vc \
+   tst-resolv-nondecimal \
+   tst-resolv-res_init-multi \
+   tst-resolv-search \
+@@ -202,6 +203,7 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
+ $(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
+   $(shared-thread-library)
+ $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index ff0a0b6f7f1f4703..f678c7d7caa3a026 100644
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -392,7 +392,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+   else
+     {
+       n = __res_context_search (ctx, name, C_IN, T_A,
+-				host_buffer.buf->buf, 2048, NULL,
+				host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ 				NULL, NULL, NULL, NULL);
+       if (n >= 0)
+ 	status = gaih_getanswer_noaaaa (host_buffer.buf, n,
+diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
+new file mode 100644
+index 0000000000000000..9f5aebd99f2d74a2
+--- /dev/null
+++ b/resolv/tst-resolv-noaaaa-vc.c
+@@ -0,0 +1,129 @@
+/* Test the RES_NOAAAA resolver option with a large response.
+   Copyright (C) 2022-2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+#include <support/xmemstream.h>
+
+/* Used to keep track of the number of queries.  */
+static volatile unsigned int queries;
+
+/* If true, add a large TXT record at the start of the answer section.  */
+static volatile bool stuff_txt;
+
+static void
+response (const struct resolv_response_context *ctx,
+          struct resolv_response_builder *b,
+          const char *qname, uint16_t qclass, uint16_t qtype)
+{
+  /* If not using TCP, just force its use.  */
+  if (!ctx->tcp)
+    {
+      struct resolv_response_flags flags = {.tc = true};
+      resolv_response_init (b, flags);
+      resolv_response_add_question (b, qname, qclass, qtype);
+      return;
+    }
+
+  /* The test needs to send four queries, the first three are used to
+     grow the NSS buffer via the ERANGE handshake.  */
+  ++queries;
+  TEST_VERIFY (queries <= 4);
+
+  /* AAAA queries are supposed to be disabled.  */
+  TEST_COMPARE (qtype, T_A);
+  TEST_COMPARE (qclass, C_IN);
+  TEST_COMPARE_STRING (qname, "example.com");
+
+  struct resolv_response_flags flags = {};
+  resolv_response_init (b, flags);
+  resolv_response_add_question (b, qname, qclass, qtype);
+
+  resolv_response_section (b, ns_s_an);
+
+  if (stuff_txt)
+    {
+      resolv_response_open_record (b, qname, qclass, T_TXT, 60);
+      int zero = 0;
+      for (int i = 0; i <= 15000; ++i)
+        resolv_response_add_data (b, &zero, sizeof (zero));
+      resolv_response_close_record (b);
+    }
+
+  for (int i = 0; i < 200; ++i)
+    {
+      resolv_response_open_record (b, qname, qclass, qtype, 60);
+      char ipv4[4] = {192, 0, 2, i + 1};
+      resolv_response_add_data (b, &ipv4, sizeof (ipv4));
+      resolv_response_close_record (b);
+    }
+}
+
+static int
+do_test (void)
+{
+  struct resolv_test *obj = resolv_test_start
+    ((struct resolv_redirect_config)
+     {
+       .response_callback = response
+     });
+
+  _res.options |= RES_NOAAAA;
+
+  for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
+    {
+      queries = 0;
+      stuff_txt = do_stuff_txt;
+
+      struct addrinfo *ai = NULL;
+      int ret;
+      ret = getaddrinfo ("example.com", "80",
+                         &(struct addrinfo)
+                         {
+                           .ai_family = AF_UNSPEC,
+                           .ai_socktype = SOCK_STREAM,
+                         }, &ai);
+
+      char *expected_result;
+      {
+        struct xmemstream mem;
+        xopen_memstream (&mem);
+        for (int i = 0; i < 200; ++i)
+          fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
+        xfclose_memstream (&mem);
+        expected_result = mem.buffer;
+      }
+
+      check_addrinfo ("example.com", ai, ret, expected_result);
+
+      free (expected_result);
+      freeaddrinfo (ai);
+    }
+
+  resolv_test_end (obj);
+  return 0;
+}
+
+#include <support/test-driver.c>
--- a/SPECS/glibc.spec
+++ b/SPECS/glibc.spec
@ -132,7 +132,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: %{glibcrelease}
+Release: %{glibcrelease}.6

 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@ -1031,6 +1031,11 @@ Patch838: glibc-rh2142937-3.patch
 Patch839: glibc-rh2144568.patch
 Patch840: glibc-rh2154914-1.patch
 Patch841: glibc-rh2154914-2.patch
+# (Reverted fixes for rh2237433 were here.)
+Patch848: glibc-rh2234713.patch
+Patch849: glibc-RHEL-2434.patch
+Patch850: glibc-RHEL-2422.patch
+Patch851: glibc-RHEL-3035.patch

 ##############################################################################
 # Continued list of core "glibc" package information:
@ -2861,6 +2866,24 @@ fi
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared

 %changelog
+* Wed Sep 20 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-236.6
+- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-3035)
+
+* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.28-236.5
+- Revert: Always call destructors in reverse constructor order (#2237433)
+
+* Mon Sep 18 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-225.4
+- CVE-2023-4806: potential use-after-free in getaddrinfo (RHEL-2422)
+
+* Fri Sep 15 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-225.3
+- CVE-2023-4813: potential use-after-free in gaih_inet (RHEL-2434)
+
+* Fri Sep 15 2023 Carlos O'Donell <carlos@redhat.com> - 2.28-225.2
+- CVE-2023-4527: Stack read overflow in getaddrinfo in no-aaaa mode (#2234713)
+
+* Tue Sep 12 2023 Florian Weimer <fweimer@redhat.com> - 2.28-225.1
+- Always call destructors in reverse constructor order (#2237433)
+
 * Fri Jan 20 2023 Florian Weimer <fweimer@redhat.com> - 2.28-225
 - Enforce a specififc internal ordering for tunables (#2154914)