Skip to content

CPython PySequence_Tuple partial initialization sandbox escape PoC#10

Open
sigdevel wants to merge 1 commit into
bikini:mainfrom
sigdevel:main
Open

CPython PySequence_Tuple partial initialization sandbox escape PoC#10
sigdevel wants to merge 1 commit into
bikini:mainfrom
sigdevel:main

Conversation

@sigdevel

@sigdevel sigdevel commented Jul 1, 2026

Copy link
Copy Markdown

Finding in CPython's tuple construction path (based at my old issue python/cpython#101855 ; GH-127058;): PySequence_Tuple()registers the result tuple with the cyclic GC before any ob_item slot is initialized. Restricted code with gc access can call gc.get_referrers() to receive a direct reference to the partial tuple mid-construction, bypassing Python-level sandbox isolation.
Validated on CPython 3.13.12 (GIL) and a local 3.16.0a0 free-threading build with the pre-fix PySequence_Tuple restored.

whats included

Six standalone PoC scripts, each self-contained (stdlib only, no ctypes):

  • poc_escape_gil.py: privileged data disclosed via generator re-entry; SIGSEGV (exit -11) via normal for slot in tuple iteration ;
  • poc_escape_exec.py: exec() sandbox with restricted __builtins__ bypassed via gc.get_referrers() ;
  • poc_escape_ft.py: concurrent spy thread intercepts partial tuple on free-threaded Python without generator cooperation ;
  • poc_escape_open.py: open file handle and os.popen callable extracted from sandbox context that has neither open nor os in its globals ;
  • poc_free_threaded.py: barrier-synchronized race (Scenario 1) and 32-builder + 8-GC + 4-spy stress test (Scenario 2) ;
  • poc_memory_leak.py: GC retention primitive; spy accumulates stranded tuples and their payloads until explicit release ;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant