From df2a403efa4cce80bed105a6e7e25b97634ae1b9 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 25 Sep 2023 07:54:46 +0100
Subject: [PATCH] Fix memory leak regression in getaddrinfo (RHEL-2426)

Related: RHEL-2426
---
 glibc-RHEL-2426-14.patch | 37 ++++++++++++++++++
 glibc-RHEL-2426-15.patch | 84 ++++++++++++++++++++++++++++++++++++++++
 glibc.spec               |  7 +++-
 3 files changed, 127 insertions(+), 1 deletion(-)
 create mode 100644 glibc-RHEL-2426-14.patch
 create mode 100644 glibc-RHEL-2426-15.patch

diff --git a/glibc-RHEL-2426-14.patch b/glibc-RHEL-2426-14.patch
new file mode 100644
index 0000000..0a4d027
--- /dev/null
+++ b/glibc-RHEL-2426-14.patch
@@ -0,0 +1,37 @@
+commit 57e349b1b0df1aee2dcd19dae1f324bde25ff8f0
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Wed Dec 8 07:02:27 2021 -0800
+
+    Disable DT_RUNPATH on NSS tests [BZ #28455]
+    
+    The glibc internal NSS functions should always load NSS modules from
+    the system.  For testing purpose, disable DT_RUNPATH on NSS tests so
+    that the glibc internal NSS functions can load testing NSS modules
+    via DT_RPATH.
+    
+    This partially fixes BZ #28455.
+    
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Conflicts:
+	nss/Makefile
+	  (different test backport order)
+
+diff --git a/nss/Makefile b/nss/Makefile
+index 64b29745131d3cf5..9af46fb3a8195809 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -215,3 +215,13 @@ endif
+ 
+ $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
+ $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
++
++# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
++# functions can load testing NSS modules via DT_RPATH.
++LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test2 = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
diff --git a/glibc-RHEL-2426-15.patch b/glibc-RHEL-2426-15.patch
new file mode 100644
index 0000000..fc8d4b4
--- /dev/null
+++ b/glibc-RHEL-2426-15.patch
@@ -0,0 +1,84 @@
+commit ec6b95c3303c700eb89eebeda2d7264cc184a796
+Author: Romain Geissler <romain.geissler@amadeus.com>
+Date:   Mon Sep 25 01:21:51 2023 +0100
+
+    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
+    
+    This patch fixes a very recently added leak in getaddrinfo.
+    
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/nss/Makefile b/nss/Makefile
+index 9af46fb3a8195809..62a68880198c243c 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -148,6 +148,15 @@ endif
+ extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
+ 			   nss_test_gai_hv2_canonname.os
+ 
++ifeq ($(run-built-tests),yes)
++ifneq (no,$(PERL))
++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
++endif
++endif
++
++generated += mtrace-tst-nss-gai-hv2-canonname.out \
++		tst-nss-gai-hv2-canonname.mtrace
++
+ include ../Rules
+ 
+ ifeq (yes,$(have-selinux))
+@@ -216,6 +225,17 @@ endif
+ $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
+ $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+ 
++tst-nss-gai-hv2-canonname-ENV = \
++		MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
++		LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
++  $(objpfx)tst-nss-gai-hv2-canonname.out
++	{ test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
++	|| ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
++	&& $(common-objpfx)malloc/mtrace \
++	$(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
++	$(evaluate-test)
++
+ # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
+ # functions can load testing NSS modules via DT_RPATH.
+ LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
+diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
+index d5f10c07d6a90773..7db53cf09da8dcb6 100644
+--- a/nss/tst-nss-gai-hv2-canonname.c
++++ b/nss/tst-nss-gai-hv2-canonname.c
+@@ -21,6 +21,7 @@
+ #include <netdb.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <mcheck.h>
+ #include <support/check.h>
+ #include <support/xstdio.h>
+ #include "nss/tst-nss-gai-hv2-canonname.h"
+@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
+ static int
+ do_test (void)
+ {
++  mtrace ();
++
+   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
+ 
+   struct addrinfo hints = {};
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 10dc63542f337693..d6046a707f1d742a 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -1196,9 +1196,7 @@ free_and_return:
+   if (malloc_name)
+     free ((char *) name);
+   free (addrmem);
+-  if (res.free_at)
+-    free (res.at);
+-  free (res.canon);
++  gaih_result_reset (&res);
+ 
+   return result;
+ }
diff --git a/glibc.spec b/glibc.spec
index a47a4ee..15f0b37 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -155,7 +155,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 83%{?dist}.6
+Release: 83%{?dist}.7
 
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@@ -768,6 +768,8 @@ Patch531: glibc-RHEL-2426-11.patch
 Patch532: glibc-RHEL-2426-12.patch
 Patch533: glibc-RHEL-2426-13.patch
 Patch534: glibc-RHEL-3000.patch
+Patch535: glibc-RHEL-2426-14.patch
+Patch536: glibc-RHEL-2426-15.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2925,6 +2927,9 @@ update_gconv_modules_cache ()
 %endif
 
 %changelog
+* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-83.7
+- Fix memory leak regression in getaddrinfo (RHEL-2426)
+
 * Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-83.6
 - CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-3000)