CVE-2024-45017: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn't support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> ---[ end trace 5ef7896144d398e1 ]---
AI Analysis
Technical Summary
CVE-2024-45017 is a vulnerability identified in the Linux kernel, specifically within the networking subsystem related to the Mellanox mlx5 driver and IPsec over RoCE (RDMA over Converged Ethernet). The issue arises from improper handling of IPsec creation over slave network devices when the master device does not support IPsec. This flaw leads to a kernel call trace and potential instability due to an invalid read lock operation on a read-write semaphore (rwsem). The kernel trace indicates a BUG triggered in the down_read() function within rwsem.c, which is part of the kernel's locking mechanism. The vulnerability manifests when the mlx5_core module attempts to perform IPsec operations on a slave device without proper validation of the master device's capabilities, causing an invalid operation exception and kernel warning. This can lead to kernel crashes or denial of service (DoS) conditions. The vulnerability affects Linux kernel versions including the 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 build and likely other versions using the mlx5 driver with IPsec over RoCE support. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The root cause is a logic flaw in the mlx5 IPsec RoCE implementation that fails to prevent IPsec creation on unsupported devices, resulting in kernel instability and potential service disruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the mlx5 driver and IPsec over RoCE enabled, commonly found in data centers, cloud infrastructure, and high-performance computing environments. The impact includes potential denial of service due to kernel crashes, which can disrupt critical network services and applications relying on IPsec for secure communications. Organizations utilizing RDMA technologies for low-latency networking, such as financial institutions, research centers, and telecom providers, may experience service interruptions or degraded performance. Although the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited in targeted attacks to disrupt operations. Given the widespread use of Linux in European enterprise and cloud environments, the vulnerability could affect a broad range of sectors, especially those with advanced networking setups leveraging Mellanox hardware and IPsec for security. The lack of known exploits reduces immediate risk, but the potential for DoS and operational impact warrants prompt attention.
Mitigation Recommendations
To mitigate CVE-2024-45017, European organizations should: 1) Apply the latest Linux kernel patches from their distribution vendors that address this specific mlx5 IPsec RoCE issue as soon as they become available. 2) Temporarily disable IPsec over RoCE on mlx5 devices if patching is not immediately feasible, to prevent triggering the vulnerability. 3) Audit network configurations to ensure IPsec is not configured over slave devices whose master interfaces do not support IPsec, aligning with the vulnerability's root cause. 4) Monitor kernel logs for warnings or call traces related to rwsem down_read failures or mlx5_core module errors, enabling early detection of exploitation attempts or instability. 5) Engage with hardware vendors (e.g., Mellanox/NVIDIA) for firmware updates or guidance on secure configuration of mlx5 devices. 6) Implement robust system monitoring and automated kernel crash recovery mechanisms to minimize downtime in case of exploitation. These steps go beyond generic advice by focusing on the specific mlx5 IPsec RoCE context and configuration validation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2024-45017: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec RoCE MPV trace call Prevent the call trace below from happening, by not allowing IPsec creation over a slave, if master device doesn't support IPsec. WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94 Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci] CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2 Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021 Workqueue: events xfrm_state_gc_task RIP: 0010:down_read+0x75/0x94 Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0 RSP: 0018:ffffb26387773da8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000 RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540 R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905 FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0 Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] ? down_read+0x75/0x94 ? __warn+0x80/0x113 ? down_read+0x75/0x94 ? report_bug+0xa4/0x11d ? handle_bug+0x35/0x8b ? exc_invalid_op+0x14/0x75 ? asm_exc_invalid_op+0x16/0x1b ? down_read+0x75/0x94 ? down_read+0xe/0x94 mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core] mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core] tx_destroy+0x1b/0xc0 [mlx5_core] tx_ft_put+0x53/0xc0 [mlx5_core] mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core] ___xfrm_state_destroy+0x10f/0x1a2 xfrm_state_gc_task+0x81/0xa9 process_one_work+0x1f1/0x3c6 worker_thread+0x53/0x3e4 ? process_one_work.cold+0x46/0x3c kthread+0x127/0x144 ? set_kthread_struct+0x60/0x52 ret_from_fork+0x22/0x2d </TASK> ---[ end trace 5ef7896144d398e1 ]---
AI-Powered Analysis
Technical Analysis
CVE-2024-45017 is a vulnerability identified in the Linux kernel, specifically within the networking subsystem related to the Mellanox mlx5 driver and IPsec over RoCE (RDMA over Converged Ethernet). The issue arises from improper handling of IPsec creation over slave network devices when the master device does not support IPsec. This flaw leads to a kernel call trace and potential instability due to an invalid read lock operation on a read-write semaphore (rwsem). The kernel trace indicates a BUG triggered in the down_read() function within rwsem.c, which is part of the kernel's locking mechanism. The vulnerability manifests when the mlx5_core module attempts to perform IPsec operations on a slave device without proper validation of the master device's capabilities, causing an invalid operation exception and kernel warning. This can lead to kernel crashes or denial of service (DoS) conditions. The vulnerability affects Linux kernel versions including the 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 build and likely other versions using the mlx5 driver with IPsec over RoCE support. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The root cause is a logic flaw in the mlx5 IPsec RoCE implementation that fails to prevent IPsec creation on unsupported devices, resulting in kernel instability and potential service disruption.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the mlx5 driver and IPsec over RoCE enabled, commonly found in data centers, cloud infrastructure, and high-performance computing environments. The impact includes potential denial of service due to kernel crashes, which can disrupt critical network services and applications relying on IPsec for secure communications. Organizations utilizing RDMA technologies for low-latency networking, such as financial institutions, research centers, and telecom providers, may experience service interruptions or degraded performance. Although the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability could be exploited in targeted attacks to disrupt operations. Given the widespread use of Linux in European enterprise and cloud environments, the vulnerability could affect a broad range of sectors, especially those with advanced networking setups leveraging Mellanox hardware and IPsec for security. The lack of known exploits reduces immediate risk, but the potential for DoS and operational impact warrants prompt attention.
Mitigation Recommendations
To mitigate CVE-2024-45017, European organizations should: 1) Apply the latest Linux kernel patches from their distribution vendors that address this specific mlx5 IPsec RoCE issue as soon as they become available. 2) Temporarily disable IPsec over RoCE on mlx5 devices if patching is not immediately feasible, to prevent triggering the vulnerability. 3) Audit network configurations to ensure IPsec is not configured over slave devices whose master interfaces do not support IPsec, aligning with the vulnerability's root cause. 4) Monitor kernel logs for warnings or call traces related to rwsem down_read failures or mlx5_core module errors, enabling early detection of exploitation attempts or instability. 5) Engage with hardware vendors (e.g., Mellanox/NVIDIA) for firmware updates or guidance on secure configuration of mlx5 devices. 6) Implement robust system monitoring and automated kernel crash recovery mechanisms to minimize downtime in case of exploitation. These steps go beyond generic advice by focusing on the specific mlx5 IPsec RoCE context and configuration validation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.682Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0ede
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 11:55:49 PM
Last updated: 8/3/2025, 7:00:43 AM
Views: 13
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.