Linux Kernel Netfilter nf_tables Duplicate Device Update Vulnerability

A vulnerability in the Linux kernel's netfilter component allows for chain or flowtable updates to be processed with duplicated devices in the same batch. The netdev event path only removes the first occurrence of a device, leaving the hook of the duplicated device unregistered. This issue can lead to warnings when attempting to unregister the hook of the duplicated device.

Impact

The vulnerability can cause a warning to be logged when unregistering a duplicated device hook, indicating a potential mishandling of netdev events.

Reproduction

To reproduce this vulnerability, update a chain or flowtable in the nf_tables subsystem with duplicated devices in the same batch. The netdev event handling will only remove the first device, leaving the hook of the duplicate unregistered. This can be verified by checking for warnings in the system log related to the nf_hook_entry_head function, which will indicate that a duplicated device hook was not properly handled.

Remediation

No specific remediation is mentioned, but users can avoid this issue by ensuring that duplicate devices are not included in the same batch when updating chains or flowtables.