* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
@ 2026-05-08 10:49 ` Peter Maydell
2026-05-08 11:02 ` Daniel P. Berrangé
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2026-05-08 10:49 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On Fri, 8 May 2026 at 11:47, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/meson.build b/meson.build
> index 5fbdc75a0f..d3df10eeef 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -684,6 +684,12 @@ hardening_flags = [
> # it harder to take advantage of uninitialized stack
> # data to drive exploits
> '-ftrivial-auto-var-init=zero',
> + # Ensure GCC zero-initializes padding bits and trailing fields in
> + # unions. This avoids potentially leaking host data into the guest
> + # when we init a struct and copy it into guest memory. GCC 15 and
Whoops, I meant to say "GCC before GCC 15" here; the commit message
is correct in saying GCC 15 is where the option first appears.
> + # clang don't have this, but they zero the padding and trailing
> + # portions of a union by default.
> + '-fzero-init-padding-bits=all',
> ]
>
> # Zero out registers used during a function call
> --
> 2.43.0
>
thanks
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
2026-05-08 10:49 ` Peter Maydell
@ 2026-05-08 11:02 ` Daniel P. Berrangé
2026-05-08 20:55 ` Richard Henderson
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Daniel P. Berrangé @ 2026-05-08 11:02 UTC (permalink / raw)
To: Peter Maydell; +Cc: qemu-devel, qemu-stable
On Fri, May 08, 2026 at 11:47:23AM +0100, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
2026-05-08 10:49 ` Peter Maydell
2026-05-08 11:02 ` Daniel P. Berrangé
@ 2026-05-08 20:55 ` Richard Henderson
2026-05-08 23:00 ` Pierrick Bouvier
2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Richard Henderson @ 2026-05-08 20:55 UTC (permalink / raw)
To: qemu-devel
On 5/8/26 05:47, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc:qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell<peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
r~
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
` (2 preceding siblings ...)
2026-05-08 20:55 ` Richard Henderson
@ 2026-05-08 23:00 ` Pierrick Bouvier
2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Pierrick Bouvier @ 2026-05-08 23:00 UTC (permalink / raw)
To: Peter Maydell, qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On 5/8/2026 3:47 AM, Peter Maydell wrote:
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> CC stable just as a precautionary thing; it's safe and we
> might as well make sure the hardening options are set there.
> ---
> meson.build | 6 ++++++
> 1 file changed, 6 insertions(+)
>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] meson.build: Add -fzero-init-padding-bits=all
2026-05-08 10:47 [PATCH] meson.build: Add -fzero-init-padding-bits=all Peter Maydell
` (3 preceding siblings ...)
2026-05-08 23:00 ` Pierrick Bouvier
@ 2026-05-15 8:49 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2026-05-15 8:49 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-stable, Daniel P. Berrangé
On Fri, 8 May 2026 at 11:47, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The C standard doesn't always guarantee that struct and union padding
> bits are zero initialized, even if the code initializes a struct.
> For QEMU, this is potentially problematic, because we often have
> structs that match data structures in guest memory, where we
> initialize them and then bulk copy them into the guest. If the
> compiler didn't zero init the whole of the memory containing the
> struct, we could potentially leak random data from the host into the
> guest via the padding bytes.
>
> We already use -ftrivial-auto-var-init=zero, which will zero out
> padding in many of these cases, but -fzero-init-padding-bits=all
> closes some gaps, for example cases where we initialize a
> variable with a struct initializer, and cases involving unions.
>
> Follow the Linux kernel in using both options. Compare kernel
> commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
>
> This option exists in gcc-15 and above; it's not supported
> by clang, but clang documents that it guarantees zero init
> of these cases always:
> https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
> Older gcc which don't have the option behave as if it were set.
>
> (These options are passed through the cc.get_supported_arguments()
> filter, so we don't need to do anything extra to avoid passing it to
> a compiler that doesn't recognize it.)
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
I'll take this via target-arm.next.
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread