* [PATCH] meson.build: Add -fzero-init-padding-bits=all
@ 2026-05-08 10:47 Peter Maydell
2026-05-08 10:49 ` Peter Maydell
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Peter Maydell @ 2026-05-08 10:47 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
The C standard doesn't always guarantee that struct and union padding
bits are zero initialized, even if the code initializes a struct.
For QEMU, this is potentially problematic, because we often have
structs that match data structures in guest memory, where we
initialize them and then bulk copy them into the guest. If the
compiler didn't zero init the whole of the memory containing the
struct, we could potentially leak random data from the host into the
guest via the padding bytes.
We already use -ftrivial-auto-var-init=zero, which will zero out
padding in many of these cases, but -fzero-init-padding-bits=all
closes some gaps, for example cases where we initialize a
variable with a struct initializer, and cases involving unions.
Follow the Linux kernel in using both options. Compare kernel
commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
This option exists in gcc-15 and above; it's not supported
by clang, but clang documents that it guarantees zero init
of these cases always:
https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
Older gcc which don't have the option behave as if it were set.
(These options are passed through the cc.get_supported_arguments()
filter, so we don't need to do anything extra to avoid passing it to
a compiler that doesn't recognize it.)
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
CC stable just as a precautionary thing; it's safe and we
might as well make sure the hardening options are set there.
---
meson.build | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/meson.build b/meson.build
index 5fbdc75a0f..d3df10eeef 100644
--- a/meson.build
+++ b/meson.build
@@ -684,6 +684,12 @@ hardening_flags = [
# it harder to take advantage of uninitialized stack
# data to drive exploits
'-ftrivial-auto-var-init=zero',
+ # Ensure GCC zero-initializes padding bits and trailing fields in
+ # unions. This avoids potentially leaking host data into the guest
+ # when we init a struct and copy it into guest memory. GCC 15 and
+ # clang don't have this, but they zero the padding and trailing
+ # portions of a union by default.
+ '-fzero-init-padding-bits=all',
]
# Zero out registers used during a function call
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
@ 2026-05-08 10:49 ` Peter Maydell
2026-05-08 11:02 ` Daniel P. Berrangé
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2026-05-08 10:49 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On Fri, 8 May 2026 at 11:47, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/meson.build b/meson.build
> index 5fbdc75a0f..d3df10eeef 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -684,6 +684,12 @@ hardening_flags = [
> # it harder to take advantage of uninitialized stack
> # data to drive exploits
> '-ftrivial-auto-var-init=zero',
> + # Ensure GCC zero-initializes padding bits and trailing fields in
> + # unions. This avoids potentially leaking host data into the guest
> + # when we init a struct and copy it into guest memory. GCC 15 and
Whoops, I meant to say "GCC before GCC 15" here; the commit message
is correct in saying GCC 15 is where the option first appears.
> + # clang don't have this, but they zero the padding and trailing
> + # portions of a union by default.
> + '-fzero-init-padding-bits=all',
> ]
>
> # Zero out registers used during a function call
> --
> 2.43.0
>
thanks
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
2026-05-08 10:49 ` Peter Maydell
@ 2026-05-08 11:02 ` Daniel P. Berrangé
2026-05-08 20:55 ` Richard Henderson
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Daniel P. Berrangé @ 2026-05-08 11:02 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-devel, qemu-stable
On Fri, May 08, 2026 at 11:47:23AM +0100, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
2026-05-08 10:49 ` Peter Maydell
2026-05-08 11:02 ` Daniel P. Berrangé
@ 2026-05-08 20:55 ` Richard Henderson
2026-05-08 23:00 ` Pierrick Bouvier
2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Richard Henderson @ 2026-05-08 20:55 UTC (permalink / raw)
To: qemu-devel
On 5/8/26 05:47, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc:qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
r~
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
` (2 preceding siblings ...)
2026-05-08 20:55 ` Richard Henderson
@ 2026-05-08 23:00 ` Pierrick Bouvier
2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Pierrick Bouvier @ 2026-05-08 23:00 UTC (permalink / raw)
To: Peter Maydell, qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On 5/8/2026 3:47 AM, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
` (3 preceding siblings ...)
2026-05-08 23:00 ` Pierrick Bouvier
@ 2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2026-05-15 8:49 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On Fri, 8 May 2026 at 11:47, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
I'll take this via target-arm.next.
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-15 8:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
2026-05-08 10:49 ` Peter Maydell
2026-05-08 11:02 ` Daniel P. Berrangé
2026-05-08 20:55 ` Richard Henderson
2026-05-08 23:00 ` Pierrick Bouvier
2026-05-15 8:49 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.