Commit a163fc1f86 for qemu.org

commit a163fc1f864bef27f6e527cbad9defba7af9e60a
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Fri May 8 11:47:23 2026 +0100

    meson.build: Add -fzero-init-padding-bits=all

    The C standard doesn't always guarantee that struct and union padding
    bits are zero initialized, even if the code initializes a struct.
    For QEMU, this is potentially problematic, because we often have
    structs that match data structures in guest memory, where we
    initialize them and then bulk copy them into the guest.  If the
    compiler didn't zero init the whole of the memory containing the
    struct, we could potentially leak random data from the host into the
    guest via the padding bytes.

    We already use -ftrivial-auto-var-init=zero, which will zero out
    padding in many of these cases, but -fzero-init-padding-bits=all
    closes some gaps, for example cases where we initialize a
    variable with a struct initializer, and cases involving unions.

    Follow the Linux kernel in using both options. Compare kernel
    commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").

    This option exists in gcc-15 and above; it's not supported
    by clang, but clang documents that it guarantees zero init
    of these cases always:
    https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
    Older gcc which don't have the option behave as if it were set.

    (These options are passed through the cc.get_supported_arguments()
    filter, so we don't need to do anything extra to avoid passing it to
    a compiler that doesn't recognize it.)

    Cc: qemu-stable@nongnu.org
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
    Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
    Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
    Message-id: 20260508104723.2144051-1-peter.maydell@linaro.org

diff --git a/meson.build b/meson.build
index 90c149b10d..37060c030e 100644
--- a/meson.build
+++ b/meson.build
@@ -684,6 +684,12 @@ hardening_flags = [
     # it harder to take advantage of uninitialized stack
     # data to drive exploits
     '-ftrivial-auto-var-init=zero',
+    # Ensure GCC zero-initializes padding bits and trailing fields in
+    # unions. This avoids potentially leaking host data into the guest
+    # when we init a struct and copy it into guest memory.  GCC prior
+    # to GCC 15 and clang don't have this, but they zero the padding
+    # and trailing portions of a union by default.
+    '-fzero-init-padding-bits=all',
 ]

 # Zero out registers used during a function call