[Bug 2108968] [NEW] Enable -fzero-init-padding-bits=all, -Wbidi-chars=any

Thu Apr 24 05:23:15 UTC 2025

Public bug reported:

Hello, please consider this *untested* debdiff that I hope would enable
-fzero-init-padding-bits=all and -Wbidi-chars=any in the Ubuntu-specific
GCC specs.

The first option, -fzero-init-padding-bits=all, is asking the compiler
to zero out bits in unions and structs. GCC 15 moved to a more
standards-compliant implementation
https://gcc.gnu.org/gcc-15/changes.html -- we could bring back the GCC
14 behavior with -fzero-init-padding-bits=unions but the option of
zeroing even the unused padding bits is available to us now, I believe
we should use it. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-
Options.html#index-fzero-init-padding-bits_003dvalue

The second option, -Wbidi-chars=any, brings no runtime security
benefits. Instead, it will log instances of potentially malicious use of
Unicode bidirectional characters that can mask malicious code from human
inspection. I hope some day we could scrape the logs to discover abuse.
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
Hardening-Guide-for-C-and-C++#enable-warnings-for-possibly-misleading-
unicode-bidirectional-control-characters
https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wbidi-
chars_003d

I tried to introduce -fhardened (
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267 ,
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
Hardening-Guide-for-C-and-C++#enable-pre-determined-set-of-hardening-
options-in-gcc ) but ran into significant problems. We should have a
conversation about it. I was really hoping -fhardened could address
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 -- and I
think it would -- but the -Whardened warning messages (
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
Hardening-Guide-for-C-and-C++#additional-considerations-6 ) are
obnoxious enough that we can't possibly ship the implementation that I
came up with.

** Affects: gcc-15 (Ubuntu)
     Importance: Undecided
         Status: New

** Patch added: "gcc-15_15-20250404-0ubuntu1.1.debdiff"
   https://bugs.launchpad.net/bugs/2108968/+attachment/5873948/+files/gcc-15_15-20250404-0ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-15 in Ubuntu.
https://bugs.launchpad.net/bugs/2108968

Title:
  Enable -fzero-init-padding-bits=all, -Wbidi-chars=any

Status in gcc-15 package in Ubuntu:
  New

Bug description:
  Hello, please consider this *untested* debdiff that I hope would
  enable -fzero-init-padding-bits=all and -Wbidi-chars=any in the
  Ubuntu-specific GCC specs.

  The first option, -fzero-init-padding-bits=all, is asking the compiler
  to zero out bits in unions and structs. GCC 15 moved to a more
  standards-compliant implementation
  https://gcc.gnu.org/gcc-15/changes.html -- we could bring back the GCC
  14 behavior with -fzero-init-padding-bits=unions but the option of
  zeroing even the unused padding bits is available to us now, I believe
  we should use it. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-
  Options.html#index-fzero-init-padding-bits_003dvalue

  The second option, -Wbidi-chars=any, brings no runtime security
  benefits. Instead, it will log instances of potentially malicious use
  of Unicode bidirectional characters that can mask malicious code from
  human inspection. I hope some day we could scrape the logs to discover
  abuse. https://best.openssf.org/Compiler-Hardening-Guides/Compiler-
  Options-Hardening-Guide-for-C-and-C++#enable-warnings-for-possibly-
  misleading-unicode-bidirectional-control-characters
  https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wbidi-
  chars_003d

  I tried to introduce -fhardened (
  https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267 ,
  https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
  Hardening-Guide-for-C-and-C++#enable-pre-determined-set-of-hardening-
  options-in-gcc ) but ran into significant problems. We should have a
  conversation about it. I was really hoping -fhardened could address
  https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 -- and I
  think it would -- but the -Whardened warning messages (
  https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
  Hardening-Guide-for-C-and-C++#additional-considerations-6 ) are
  obnoxious enough that we can't possibly ship the implementation that I
  came up with.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-15/+bug/2108968/+subscriptions