IBM Domino 'bindsock' cannot bind to ports <1024 since recent kernel 3.5.0-45.68

On Tue, Jan 14, 2014 at 01:07:24AM +0000, MR Mail wrote:

> Just a query about what might have changed in Ubuntu's Kernel 3.5.0-45
> that would kill IBM Domino's /opt/ibm/domino/notes/latest/linux/bindsock
> binary that runs as root (setuid) to get ports lower than 1024 (SMTP IMAP
> POP3 and HTTP) for the service account that runs the main application
> server?
>
> A number of us have to hold back the kernel now and there's lots of
> scratching going on.
> http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=485F5F092833BCBE85257C33006AC7A3
>
> Another thing in the server console spits out which is unusual is
> "Error_CmdToDo_INVAL"... might be an IBM thang.
>
> Don't know if this is something that's been deprecated or a bug in the
> latest kernel versions. It does seem limited to IBM Domino.

To precee the thread above. Various people on various releases are
reporting that a kernel update is preventing domino server starting.
Specifically they are all reporting that the setuid bindsock helper is
failing to bind port 25:

    SMTP Server: Listener failure: 'bindsock' is missing, not executable,
    not owned by root, not setuid root or user needs net_privaddr privilege

As an aside, the above thread suggest that setuid is not working.
I cannot see any commits which could cause such a behavioural change,
and if there was such an issue sudo et al would also stop working,
I think this would have been noticed.

Various reporters note kernel version on various releases:

    GOOD BAD
    3.5.0-43-generic 3.5.0-44-generic
    3.11.0-13 3.11.0-14
    3.2.0-56 3.2.0-58

I have briefly reviewed the changes in these pairs which all include the
application of an upstream stable update, looking for those relating to
sockets in general of which there are a couple in common on all three of
these updates:

    net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
    net: heap overflow in __audit_sockaddr()

The latter of these I do see a further upstream fix for which will
appear in the next 3.2.0 kernel, which _might_ be relevant.

As for the next steps:

1) lets get a bug filed against the linux package containing the data
   above, by someone who is able to run some test kernels to debug
   the issue (run 'ubuntu-bug linux' to get such a bug filed),
2) could someone who has this issue attempt to get an strace from this
   helper as it tries to make these sockets so we can try and identify
   what is failing.

Once we have a bug filed we can try and bisect between say
3.5.0-43-generic and 3.5.0-44-generic to find the patch which triggers
the behaviour.

Please reply to this email with the bug number once it is filed.

-apw

I suspect that this recvmsg is triggering the error that is emitted:

    2775 recvmsg(9, 0x7fffbff554f0, 0) = -1 EINVAL (Invalid argument)

This might well indicate that this subprocess is using msg ipc to communicate the connected socket back to the unpriviledged master process. This could well occur if the bindsock process is passing an overly large message buffer, which is technically erroneous. This became fatal in the commit below in mainline:

  1661bf364ae9c506bc8795fef70d1532931be1e8
  Author: Dan Carpenter <email address hidden>
  Date: Thu Oct 3 00:27:20 2013 +0300

    net: heap overflow in __audit_sockaddr

This commit was applied to the various versions listed above as part of various stable updates.

There has subsequently been a fix for this commit which softens the effect for badly behaving callers:

  1661bf364ae9c506bc8795fef70d1532931be1e8
  Author: Dan Carpenter <email address hidden>
  Date: Thu Oct 3 00:27:20 2013 +0300

    net: heap overflow in __audit_sockaddr

This commit has recently hit v3.2.x stable but is not yet in any released kernel.

I have built a test kernel with the above fix applied. Could you test this kernel and let us know if this fixes the issue. The kernel is at the URL below:

    http://people.canonical.com/~apw/lp1269053-quantal/

Please report any testing back here.

Hi Andy

Wow, quick and accurate Andy ! Well done that works.

Installed
 linux-headers-3.5.0-45_3.5.0-45.68lp1269053v201401141702_all.deb
 linux-headers-3.5.0-45-generic_3.5.0-45.68lp1269053v201401141702_amd64.deb
 linux-image-3.5.0-45-generic_3.5.0-45.68lp1269053v201401141702_amd64.deb
Reboot, selecting 3.5.0-45 from GRUB list
Check running 3.5.0-45.68lp1269053v201401141702 by `uname -a`
Launched Domino as normal service and services are able to bind to all ports SMTP HTTP IMAP POP3 LDAP.

You are a star !!! Thanks for this !!!

Anything else I need to check/do and what happens now with this ?

Many thanks
MR

I have submitted the patch for this issue to kernel-team@ for review and application.

Ok this patch has hit all of our upstream stable trees and will hit the various kernels in the next SRU cycle. Note that this is not the next kernel which will hit the archive for all releases, for precise it is included in that very next kernel, other releases it will be the following kernel.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

IBM Domino is able to bind to ports lower than 1024. This is fixed in "saucy-proposed"

Enabled "saucy-proposed"

Installed linux-image-server/saucy-proposed linux-headers-server/saucy-proposed linux-headers-generic/saucy-proposed linux-image-generic/saucy-proposed

Rebooted with new kernel: Linux mru64dom64-1 3.11.0-17-generic #31-Ubuntu SMP Mon Feb 3 21:52:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Thanks folks !!!
MR

I had to revert to Ubuntu server 13.04 that did not have the bug in order
to keep my business running on IBM Domino. Will this kernel fix work on
13.04? If not, I will not be able to test the fix.

73 & Cheers,
Ken Behrens
IBM Certified Advanced Application Developer Lotus Notes & Domino 7
MicroBlue Software, LLC
KB0YLN
E-mail: <email address hidden>
Web site: http://www.MicroBlueSoftware.com

From: Brad Figg <email address hidden>
To: <email address hidden>
Date: 02/06/2014 11:50 AM
Subject: [Bug 1269053] Re: IBM Domino 'bindsock' cannot bind to
ports <1024 since recent kernel 3.5.0-45.68
Sent by: <email address hidden>

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

** Tags added: verification-needed-saucy

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1269053

Title:
  IBM Domino 'bindsock' cannot bind to ports <1024 since recent kernel
  3.5.0-45.68

Status in ?linux? package in Ubuntu:
  Fix Released
Status in ?linux-lts-quantal? package in Ubuntu:
  Invalid
Status in ?linux-lts-raring? package in Ubuntu:
  Invalid
Status in ?linux-lts-saucy? package in Ubuntu:
  Invalid
Status in ?linux? source package in Precise:
  Fix Committed
Status in ?linux-lts-quantal? source package in Precise:
  Confirmed
Status in ?linux-lts-raring? source package in Precise:
  Fix Committed
Status in ?linux-lts-saucy? source package in Precise:
  Fix Committed
Status in ?linux? source package in Quantal:
  Fix Committed
Status in ?linux-lts-quantal? source package in Quantal:
  Invalid
Status in ?linux-lts-raring? source package in Quantal:
  Invalid
Status in ?linux-lts-saucy? source package in Quantal:
  Invalid
Status in ?linux? source package in Saucy:
  Fix Committed
Status in ?linux-lts-quantal? source package in Saucy:
  Invalid
Status in ?linux-lts-raring? source package in Saucy:
  Invalid
Status in ?linux-lts-saucy? source package in Saucy:
  Invalid
Status in ?linux? source package in Trusty:
  Fix Released
Status in ?linux-lts-quantal? source package in Trusty:
  Invalid
Status in ?linux-lts-raring? source package in Trusty:
  Invalid
Status in ?linux-lts-saucy? source package in Trusty:
  Invalid

Bug description:
  Something has changed in Ubuntu's Kernel 3.5.0-45 32 & 64-bit Intel,
  has prevented IBM Domino's
  "/opt/ibm/domino/notes/latest/linux/bindsock" binary that runs as root
  (setuid) to get ports lower than 1024 for it's LDAP, SMTP, IMAP, POP3,
  and HTTP processes. The IBM Domino Application Server's parent process
  "/opt/ibm/domino/notes/latest/linux/server" runs as a Service Account
  or a normal non-admin user, that launches "bindsock"and others like
  "http", "ldap"....
...

This bug was fixed in the package linux - 3.11.0-17.31

---------------
linux (3.11.0-17.31) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1275899
  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"

  [ John Johansen ]

  * [Upstream] x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274754

linux (3.11.0-17.30) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270292

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs"

linux (3.11.0-17.29) saucy; urgency=low

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * GFS2: Fix ref count bug relating to atomic_open
    - LP: #1269863
  * aio: restore locking of ioctx list on removal
    - LP: #1269863
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1269863
  * net/mlx4_en: Fixed crash when port type is changed
    - LP: #1269863
  * net: Fix "ip rule delete table 256"
    - LP: #1269863
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1269863
  * ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh
    - LP: #1269863

linux (3.11.0-17.28) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1269875

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * igb: Update link modes display in ethtool
  * Revert "mac80211: allow disable power save in mesh"
    - LP: #1269863
  * Revert "of/address: Handle #address-cells > 2 specially"
    - LP: #1269863
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * random32: fix off-by-one in seeding requirement
    - LP: #1269863
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1269863
  * usbnet: fix status interrupt urb handling
    - LP: #1269863
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1269863
  * tuntap: limit head length of skb allocated
    - LP: #1269863
  * macvtap: limit head length of skb allocated
    - LP: #1269863
  * tcp: tsq: restore minimal amount of queueing
    - LP: #1269863
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1269863
  * net-tcp: fix panic in tcp_fastopen_cache_set()
    - LP: #1269863
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1269863
  * connector: improved unaligned access error fix
    - LP: #1269863
  * ipv4: fix possible seqlock deadlock
    - LP: #1269863
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1269863
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1269863
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1269863
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1269863
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1269863
  * ip6_output: fragment outgoing reassembled skb properly
    - LP: #1269863
  * netfilter: push reasm skb through instead of original frag skbs
    - LP: #1269863
  * xf...

This bug was fixed in the package linux-lts-saucy - 3.11.0-17.31~precise1

---------------
linux-lts-saucy (3.11.0-17.31~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270372
  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"

  [ John Johansen ]

  * [Upstream] x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274754

linux (3.11.0-17.30) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270292

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs"

linux (3.11.0-17.29) saucy; urgency=low

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * GFS2: Fix ref count bug relating to atomic_open
    - LP: #1269863
  * aio: restore locking of ioctx list on removal
    - LP: #1269863
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1269863
  * net/mlx4_en: Fixed crash when port type is changed
    - LP: #1269863
  * net: Fix "ip rule delete table 256"
    - LP: #1269863
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1269863
  * ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh
    - LP: #1269863

linux (3.11.0-17.28) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1269875

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * igb: Update link modes display in ethtool
  * Revert "mac80211: allow disable power save in mesh"
    - LP: #1269863
  * Revert "of/address: Handle #address-cells > 2 specially"
    - LP: #1269863
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * random32: fix off-by-one in seeding requirement
    - LP: #1269863
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1269863
  * usbnet: fix status interrupt urb handling
    - LP: #1269863
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1269863
  * tuntap: limit head length of skb allocated
    - LP: #1269863
  * macvtap: limit head length of skb allocated
    - LP: #1269863
  * tcp: tsq: restore minimal amount of queueing
    - LP: #1269863
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1269863
  * net-tcp: fix panic in tcp_fastopen_cache_set()
    - LP: #1269863
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1269863
  * connector: improved unaligned access error fix
    - LP: #1269863
  * ipv4: fix possible seqlock deadlock
    - LP: #1269863
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1269863
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1269863
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1269863
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1269863
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1269863
  * ip6_output: fragment outgoing reassembled skb properly
    - LP: #1269863
  * netfilter: push reasm skb through instead of orig...

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Confirm fix resolves issue in Quantal. Tested 3.5.0-47-generic #71~precise1-Ubuntu SMP Wed Feb 19 22:02:52 UTC 2014 x86_64 x86_64 x86_64

Many thanks !

I still see this problem in 3.8.0-35. Should I see the fix in this release too or was it fixed in 3.5.0 codestream only?

This bug was fixed in the package linux-lts-quantal - 3.5.0-47.71~precise1

---------------
linux-lts-quantal (3.5.0-47.71~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281900

  [ Upstream Kernel Changes ]

  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave lazy MMU mode in the case of a m2p override failure
    - LP: #12...

This bug was fixed in the package linux-lts-raring - 3.8.0-37.53~precise1

---------------
linux-lts-raring (3.8.0-37.53~precise1) precise; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1282210

  [ Upstream Kernel Changes ]

  * Revert "of/address: Handle #address-cells > 2 specially"
    - LP: #1278969
  * ath9k_htc: properly set MAC address and BSSID mask
    - LP: #1252422
    - CVE-2013-4579
  * aacraid: prevent invalid pointer dereference
    - LP: #1256083
    - CVE-2013-6380
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * mmc: sdhci-pci: break out definitions to header file
    - LP: #1239938
  * mmc: sdhci-pci: add support of O2Micro/BayHubTech SD hosts
    - LP: #1239938
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * xfs: add capability check to free eofblocks ioctl
    - LP: #1278969
  * staging: vt6656: [BUG] Fix for TX USB resets from vendors driver.
    - LP: #1278969
  * net: Fix "ip rule delete table 256"
    - LP: #1278969
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1278969
  * random32: fix off-by-one in seeding requirement
    - LP: #1278969
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1278969
  * usbnet: fix status interrupt urb handling
    - LP: #1278969
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1278969
  * tuntap: limit head length of skb allocated
    - LP: #1278969
  * macvtap: limit head length of skb allocated
    - LP: #1278969
  * tcp: tsq: restore minimal amount of queueing
    - LP: #1278969
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1278969
  * net-tcp: fix panic in tcp_fastopen_cache_set()
    - LP: #1278969
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1278969
  * connector: improved unaligned access error fix
    - LP: #1278969
  * ipv4: fix possible seqlock deadlock
    - LP: #1278969
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1278969
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1278969
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1278969
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1278969
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1278969
  * ip6_output: fragment outgoing reassembled skb properly
    - LP: #1278969
  * xfrm: Release dst if this dst is improper for vti tunnel
    - LP: #1278969
  * atm: idt77252: fix dev refcnt leak
    - LP: #1278969
  * tcp: don't update snd_nxt, when a socket is switched from repair mode
    - LP: #1278969
  * ipv4: fix race in concurrent ip_route_input_slow()
    - LP: #1278969
  * net: core: Always propagate flag changes to interfaces
    - LP: #1278969
  * bridge: flush br's address entry in fdb when remove the bridge dev
    - LP: #1278969
  * packet: fix use after free race in send path when dev is released
    - LP: #1278969
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1278969
  ...

This bug was fixed in the package linux - 3.5.0-47.71

---------------
linux (3.5.0-47.71) quantal; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281828

  [ Upstream Kernel Changes ]

  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave lazy MMU mode in the case of a m2p override failure
    - LP: #1277722
  * libsas: fix usage of ata_tf_to_f...

This bug was fixed in the package linux-ti-omap4 - 3.5.0-239.55

---------------
linux-ti-omap4 (3.5.0-239.55) quantal; urgency=low

  * Release Tracking Bug
    - LP: #1281895

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.5.0-47.71

  [ Ubuntu: 3.5.0-47.71 ]

  * Release Tracking Bug
    - LP: #1281828
  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave lazy MMU ...

This bug was fixed in the package linux-armadaxp - 3.5.0-1628.37

---------------
linux-armadaxp (3.5.0-1628.37) quantal-proposed; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1281897
  * Rebase onto Ubuntu-3.5.0-47.71

  [ Ubuntu: 3.5.0-47.71 ]

  * Release Tracking Bug
    - LP: #1281828
  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave l...

This bug was fixed in the package linux-ti-omap4 - 3.5.0-239.55

---------------
linux-ti-omap4 (3.5.0-239.55) quantal; urgency=low

  * Release Tracking Bug
    - LP: #1281895

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.5.0-47.71

  [ Ubuntu: 3.5.0-47.71 ]

  * Release Tracking Bug
    - LP: #1281828
  * Revert "mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr"
    - LP: #1277722
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
    - LP: #1270237
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * lirc_zilog: Don't use dynamic static allocation
    - LP: #1277722
  * net: Fix "ip rule delete table 256"
    - LP: #1277722
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1277722
  * random32: fix off-by-one in seeding requirement
    - LP: #1277722
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1277722
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1277722
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1277722
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1277722
  * connector: improved unaligned access error fix
    - LP: #1277722
  * ipv4: fix possible seqlock deadlock
    - LP: #1277722
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1277722
  * atm: idt77252: fix dev refcnt leak
    - LP: #1277722
  * net: core: Always propagate flag changes to interfaces
    - LP: #1277722
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1277722
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1277722
  * packet: fix use after free race in send path when dev is released
    - LP: #1277722
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1277722
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1277722
  * net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
    - LP: #1277722
  * inet: fix possible seqlock deadlocks
    - LP: #1277722
  * ipv6: fix possible seqlock deadlock in ip6_finish_output2
    - LP: #1277722
  * af_packet: block BH in prb_shutdown_retire_blk_timer()
    - LP: #1277722
  * {pktgen, xfrm} Update IPv4 header total len and checksum after
    tranformation
    - LP: #1277722
  * bridge: flush br's address entry in fdb when remove the
    - LP: #1277722
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1277722
  * NFSv4: Update list of irrecoverable errors on DELEGRETURN
    - LP: #1277722
  * Update of blkg_stat and blkg_rwstat may happen in bh context. While
    u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This
    is not enough to avoid preemption by bh and may read strange 64 bit
    value.
    - LP: #1277722
  * ASoC: wm8990: Mark the register map as dirty when powering down
    - LP: #1277722
  * irq: Enable all irqs unconditionally in irq_resume
    - LP: #1277722
  * xen/gnttab: leave lazy MMU ...

Seems the bug reappeared in precise with 3.2.0-64-generic-pae.
3.2.0-61-generic-pae works.
I do not know which of the kernels in between work.

The bug now shows up in Trusty as of 3.13.0-30 I know it was working in 3.13.0-24

The bug is also present in 3.13.0-29 as well.

@Kit / @Sebastian -- ok the fix for the original bug appears to be correctly applied. I believe this is a new form of this bug triggered by the commit below:

  commit dbb490b96584d4e958533fb637f08b557f505657
  Author: Matthew Leach <email address hidden>
  Date: Tue Mar 11 11:58:27 2014 +0000

    net: socket: error on a negative msg_namelen

As this is essentially a new bug, could one of you file a new bug against the 'linux' package for me, and reference it here. I'll see about some debugging to confirm this on that bug.

Reported as bug #1335478

Thanks

I reported this as a new bug back almost a month ago - but to date, while the status has been changed to confirmed, the bug remains unassigned. I have tested 3.13.0-32 and the bug remains in this new version as well.

I have also commented on the new bug #1335478. Thanks to this bug being fixed, I have a workaround- which is to install one of these FIXED kernels.