[Bug 1972043] [NEW] Please add -ftrivial-auto-var-init=zero to default build flags

Kees Cook 1972043 at bugs.launchpad.net
Sat May 7 03:36:07 UTC 2022 

Public bug reported:

Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first
release of GCC to provide this flag).

It goes well with the other important security flaw mitigation flags already enabled in Ubuntu for GCC:
https://wiki.ubuntu.com/ToolChain/CompilerFlags

While many variables are initialized (due to -Wuninitialized), there is
a blind spot for variables passed by reference, padding, and cases where
-Wuninitialized just fails to track it. Universally wiping the variables
eliminates nearly the entire class of uninitialized stack variable use
(https://cwe.mitre.org/data/definitions/457.html) with nearly no
overhead (e.g. any duplicate assignments will already be squashed during
dead store elimination, etc).

** Affects: gcc-12 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-12 in Ubuntu.
https://bugs.launchpad.net/bugs/1972043

Title:
  Please add -ftrivial-auto-var-init=zero to default build flags

Status in gcc-12 package in Ubuntu:
  New

Bug description:
  Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the
  first release of GCC to provide this flag).

  It goes well with the other important security flaw mitigation flags already enabled in Ubuntu for GCC:
  https://wiki.ubuntu.com/ToolChain/CompilerFlags

  While many variables are initialized (due to -Wuninitialized), there
  is a blind spot for variables passed by reference, padding, and cases
  where -Wuninitialized just fails to track it. Universally wiping the
  variables eliminates nearly the entire class of uninitialized stack
  variable use (https://cwe.mitre.org/data/definitions/457.html) with
  nearly no overhead (e.g. any duplicate assignments will already be
  squashed during dead store elimination, etc).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/1972043/+subscriptions

More information about the foundations-bugs mailing list