You don't think CrowdStrike woe can affect Windows PCs only, do you? I work in an enterprise distro support on the kernel specifically, and you cannot even imagine how many customers have CrowdStrike solution installed on their Linux servers. And I know this because I'm mostly looking into vmcores collected after kernel panics, and guess why the kernel may panic…

@oleksandr Yes, they're loading obfuscated kernel modules - that's why you either need to enroll SB keys or disable it altogether.

I reverse-engineered it few years back when IBM spun off its GTS branch into "Kyndryl", which used CrowdStrike and told us to stop using Fedora (and I wanted to keep using it).

Every CrowdStrike version has hardcoded kernel versions for RHEL, Oracle Linux, Ubuntu, Amazon and SLES, and if kver matches, it tries to inject those modules into the kernel. If it fails, it runs in reduced functionality mode.

@oleksandr But luckily this issue only affects Falcon running on Windows.

@Xavier @oleksandr maybe they'll double down ;-)

@Xavier @oleksandr Specifically Windows 10? Is XP affected (asking for the Navy).

@Xavier @oleksandr That was a joke. Navy doesn't run EDR on their Windows XP lol.

@fogti @oleksandr Please, gods no.

@oleksandr it could happen on linux just the same, but the current specific problem seems to only completely break windows computers from what's being reported, is that wrong?

@sammy No, your observations are correct. I'm talking about approaches being the same in principle, hence Linux indeed could be affected should the vendor mess up like this again.

@nf3xn @Xavier XP is affected but not in the way you may think :).

@nf3xn @Xavier @oleksandr still on 98?

@shironeko @oleksandr @nf3xn Was Windows ME affected?

@Xavier @shironeko @nf3xn Windows Me was affected even before it was released. I still remember I was unable to install it because its installer defaulted to a display resolution that was not supported by my monitor.

@wolf480pl @oleksandr No idea, but same goes for kernel-level anticheats so...

@elly @oleksandr how is it legal to redistribute such modules?

@wolf480pl @elly Why redistribute? The customers get those from the vendor directly.

@oleksandr my favorite are the customers who have several CrowdStrike-like solutions for "security" and "management". Because more antivirus means more security, right?

@oleksandr yeah we looked into an alternative instead - https://github.com/SUSE/linux-security-sensor/tree/sensor-base-0.7.0
As for fun debugging stories in this general area of 3rd party kernel modules (from a different vendor) we were once able to point out a recount imbalance of something like a struct file just from the disassembly in the kernel crash dump, with no source available. It led to some weird slab corruption due to a use after free. Fun times.

@oleksandr funny how it's often the same playbook with these 3rd party kernel modules
1. It's not our module's fault
2. Show evidence of the module's fault
3. Silently fixed, no acknowledgement

@vbabka I don't remember the exact details and names, but we managed to point a vendor to the fact that they forgot about unlocking a spinlock just by disassembling two versions of their module and comparing the listings.