Hardening: add -ftrivial-auto-var-init=zero

This zeroes out variables that COULD be accessed before being set (so to prevent access to unitialized variables). We are generally very careful about this in our code, but in 3rd party modules this is less the case. And still useful in case we ourselves screw up.
2026-06-12 17:14:46 +02:00 · 2026-02-22 16:36:35 +01:00
parent 0ab1221a38
commit 4d4a43984c
2 changed files with 64 additions and 0 deletions
@@ -153,6 +153,12 @@ AS_IF([test x"$hardening" != x"no"], [
  # Clear registers on return (performance penalty, but acceptable, makes ROP harder)
  check_cc_flag([-fzero-call-used-regs=used-gpr], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fzero-call-used-regs=used-gpr"])

+  # This zeroes out variables that COULD be accessed before being set.
+  # We are generally very careful about this in our code, but 3rd party
+  # modules are not always so careful. And still useful in case we ourselves
+  # screw up.
+  check_cc_flag([-ftrivial-auto-var-init=zero], [HARDEN_CFLAGS="$HARDEN_CFLAGS -ftrivial-auto-var-init=zero"])
+
  # At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
  #
  # The linker checks also compile code, so we need to include -fPIE as well.