Title: Use-after-free in `_Py_typing_type_repr` via re-entrant `__origin__` lookup during `GenericAlias` repr · Issue #143635 · python/cpython · GitHub
Open Graph Title: Use-after-free in `_Py_typing_type_repr` via re-entrant `__origin__` lookup during `GenericAlias` repr · Issue #143635 · python/cpython
X Title: Use-after-free in `_Py_typing_type_repr` via re-entrant `__origin__` lookup during `GenericAlias` repr · Issue #143635 · python/cpython
Description: What happened? types.GenericAlias.__repr__ walks its type arguments by borrowed pointers. A crafted argument object implements __getattr__ to clear the shared list when _Py_typing_type_repr probes __origin__/__args__, dropping the last r...
Open Graph Description: What happened? types.GenericAlias.__repr__ walks its type arguments by borrowed pointers. A crafted argument object implements __getattr__ to clear the shared list when _Py_typing_type_repr probes ...
X Description: What happened? types.GenericAlias.__repr__ walks its type arguments by borrowed pointers. A crafted argument object implements __getattr__ to clear the shared list when _Py_typing_type_repr probes ...
Opengraph URL: https://github.com/python/cpython/issues/143635
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Use-after-free in `_Py_typing_type_repr` via re-entrant `__origin__` lookup during `GenericAlias` repr","articleBody":"### What happened?\n\n`types.GenericAlias.__repr__` walks its type arguments by borrowed pointers. A crafted argument object implements `__getattr__` to clear the shared list when `_Py_typing_type_repr` probes `__origin__`/`__args__`, dropping the last reference to the same object mid-repr. The second attribute probe then dereferences the freed object inside `PyObject_HasAttrWithError`, producing a heap use-after-free during `repr()`.\n\n**Proof of Concept:**\n\n```python\nimport types\n\n\nclass Zap:\n __slots__ = (\"container\",)\n\n def __init__(self, container):\n self.container = container\n\n def __getattr__(self, name):\n if name == \"__origin__\":\n self.container.clear()\n return None\n if name == \"__args__\":\n return ()\n raise AttributeError\n\n\nparams = []\nparams.append(Zap(params))\nalias = types.GenericAlias(list, (params,))\nrepr(alias)\n```\n\n**Vulnerable Code Snippet:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```c\n/* Buggy Re-entrant Path */\nstatic int\nga_repr_items_list(PyUnicodeWriter *writer, PyObject *p)\n{\n Py_ssize_t len = PyList_GET_SIZE(p);\n ...\n PyObject *item = PyList_GET_ITEM(p, i); /* crashing pointer derived */\n if (_Py_typing_type_repr(writer, item) \u003c 0) {\n return -1;\n }\n}\n\nint\n_Py_typing_type_repr(PyUnicodeWriter *writer, PyObject *p)\n{\n ...\n if ((rc = PyObject_HasAttrWithError(p, \u0026_Py_ID(__origin__))) \u003e 0 \u0026\u0026 /* Reentrant call site */\n (rc = PyObject_HasAttrWithError(p, \u0026_Py_ID(__args__))) \u003e 0) {\n /* user __getattr__ can clear the list and free 'p' */\n goto use_repr;\n }\n ...\n}\n\nint\nPyObject_GetOptionalAttr(PyObject *v, PyObject *name, PyObject **result)\n{\n PyTypeObject *tp = Py_TYPE(v); /* Crash site */\n ...\n}\n\n/* Clobbering Path */\nstatic void\nlist_clear_impl(PyListObject *a, bool is_resize)\n{\n PyObject **items = a-\u003eob_item;\n /* ... */\n\n Py_ssize_t i = Py_SIZE(a);\n Py_SET_SIZE(a, 0);\n FT_ATOMIC_STORE_PTR_RELEASE(a-\u003eob_item, NULL);\n a-\u003eallocated = 0;\n while (--i \u003e= 0) {\n Py_XDECREF(items[i]); /* state mutate site */\n }\n free_list_items(items, use_qsbr);\n}\n```\n\u003c/details\u003e\n\n**Sanitizer Output:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```\n=================================================================\n==440644==ERROR: AddressSanitizer: heap-use-after-free on address 0x504000054aa8 at pc 0x58f73fa51496 bp 0x7fff368835e0 sp 0x7fff368835d0\nREAD of size 8 at 0x504000054aa8 thread T0\n #0 0x58f73fa51495 in _Py_TYPE Include/object.h:277\n #1 0x58f73fa51495 in PyObject_GetOptionalAttr Objects/object.c:1337\n #2 0x58f73fa51495 in PyObject_HasAttrWithError Objects/object.c:1431\n #3 0x58f73fb1d83e in _Py_typing_type_repr Objects/typevarobject.c:280\n #4 0x58f73f97890b in ga_repr_items_list Objects/genericaliasobject.c:72\n #5 0x58f73f97890b in ga_repr Objects/genericaliasobject.c:118\n #6 0x58f73fa4d04e in PyObject_Repr Objects/object.c:779\n #7 0x58f73f92f3e7 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169\n #8 0x58f73f92f3e7 in PyObject_Vectorcall Objects/call.c:327\n #9 0x58f73f7e35a2 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620\n #10 0x58f73fcadad6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n #11 0x58f73fcadad6 in _PyEval_Vector Python/ceval.c:2001\n #12 0x58f73fcadad6 in PyEval_EvalCode Python/ceval.c:884\n #13 0x58f73fdf316e in run_eval_code_obj Python/pythonrun.c:1365\n #14 0x58f73fdf316e in run_mod Python/pythonrun.c:1459\n #15 0x58f73fdf7e17 in pyrun_file Python/pythonrun.c:1293\n #16 0x58f73fdf7e17 in _PyRun_SimpleFileObject Python/pythonrun.c:521\n #17 0x58f73fdf893c in _PyRun_AnyFileObject Python/pythonrun.c:81\n #18 0x58f73fe6be3c in pymain_run_file_obj Modules/main.c:410\n #19 0x58f73fe6be3c in pymain_run_file Modules/main.c:429\n #20 0x58f73fe6be3c in pymain_run_python Modules/main.c:691\n #21 0x58f73fe6d71e in Py_RunMain Modules/main.c:772\n #22 0x58f73fe6d71e in pymain_main Modules/main.c:802\n #23 0x58f73fe6d71e in Py_BytesMain Modules/main.c:826\n #24 0x7adc66e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #25 0x7adc66e2a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #26 0x58f73f807634 in _start (/home/jackfromeast/Desktop/entropy/targets/grammar-afl++-latest/targets/cpython/python+0x206634) (BuildId: 4d105290d0ad566a4d6f4f7b2f05fbc9e317b533)\n\n0x504000054aa8 is located 24 bytes inside of 40-byte region [0x504000054a90,0x504000054ab8)\nfreed by thread T0 here:\n #0 0x7adc672fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52\n #1 0x58f73fac08f3 in subtype_dealloc Objects/typeobject.c:2852\n #2 0x58f73fa4c1d8 in _Py_Dealloc Objects/object.c:3200\n #3 0x58f73fd37a49 in Py_DECREF_MORTAL Include/internal/pycore_object.h:482\n #4 0x58f73fd37a49 in PyStackRef_XCLOSE Include/internal/pycore_stackref.h:736\n #5 0x58f73fd37a49 in _PyFrame_ClearLocals Python/frame.c:101\n #6 0x58f73fd37a49 in _PyFrame_ClearExceptCode Python/frame.c:126\n #7 0x58f73fca3052 in clear_thread_frame Python/ceval.c:1826\n #8 0x58f73fca3052 in _PyEval_FrameClearAndPop Python/ceval.c:1850\n #9 0x58f73f7e7f4c in _PyEval_EvalFrameDefault Python/generated_cases.c.h:10403\n #10 0x58f73fcae2a5 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n #11 0x58f73fcae2a5 in _PyEval_Vector Python/ceval.c:2001\n #12 0x58f73f92f3e7 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169\n #13 0x58f73f92f3e7 in PyObject_Vectorcall Objects/call.c:327\n #14 0x58f73faef275 in call_attribute Objects/typeobject.c:10627\n #15 0x58f73faef275 in call_attribute Objects/typeobject.c:10621\n #16 0x58f73faef275 in _Py_slot_tp_getattr_hook Objects/typeobject.c:10688\n #17 0x58f73fa51218 in PyObject_GetOptionalAttr Objects/object.c:1377\n #18 0x58f73fa51218 in PyObject_HasAttrWithError Objects/object.c:1431\n #19 0x58f73fb1d6f6 in _Py_typing_type_repr Objects/typevarobject.c:279\n #20 0x58f73f97890b in ga_repr_items_list Objects/genericaliasobject.c:72\n #21 0x58f73f97890b in ga_repr Objects/genericaliasobject.c:118\n #22 0x58f73fa4d04e in PyObject_Repr Objects/object.c:779\n #23 0x58f73f92f3e7 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169\n #24 0x58f73f92f3e7 in PyObject_Vectorcall Objects/call.c:327\n #25 0x58f73f7e35a2 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620\n #26 0x58f73fcadad6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n #27 0x58f73fcadad6 in _PyEval_Vector Python/ceval.c:2001\n #28 0x58f73fcadad6 in PyEval_EvalCode Python/ceval.c:884\n #29 0x58f73fdf316e in run_eval_code_obj Python/pythonrun.c:1365\n #30 0x58f73fdf316e in run_mod Python/pythonrun.c:1459\n #31 0x58f73fdf7e17 in pyrun_file Python/pythonrun.c:1293\n #32 0x58f73fdf7e17 in _PyRun_SimpleFileObject Python/pythonrun.c:521\n #33 0x58f73fdf893c in _PyRun_AnyFileObject Python/pythonrun.c:81\n #34 0x58f73fe6be3c in pymain_run_file_obj Modules/main.c:410\n #35 0x58f73fe6be3c in pymain_run_file Modules/main.c:429\n #36 0x58f73fe6be3c in pymain_run_python Modules/main.c:691\n #37 0x58f73fe6d71e in Py_RunMain Modules/main.c:772\n #38 0x58f73fe6d71e in pymain_main Modules/main.c:802\n #39 0x58f73fe6d71e in Py_BytesMain Modules/main.c:826\n #40 0x7adc66e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #41 0x7adc66e2a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #42 0x58f73f807634 in _start (/home/jackfromeast/Desktop/entropy/targets/grammar-afl++-latest/targets/cpython/python+0x206634) (BuildId: 4d105290d0ad566a4d6f4f7b2f05fbc9e317b533)\n\npreviously allocated by thread T0 here:\n #0 0x7adc672fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69\n #1 0x58f73fad488e in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46\n #2 0x58f73fad488e in _PyType_AllocNoTrack Objects/typeobject.c:2504\n #3 0x58f73fad4af4 in PyType_GenericAlloc Objects/typeobject.c:2535\n #4 0x58f73facc118 in type_call Objects/typeobject.c:2448\n #5 0x58f73f92d9cd in _PyObject_MakeTpCall Objects/call.c:242\n #6 0x58f73f7e35a2 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620\n #7 0x58f73fcadad6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n #8 0x58f73fcadad6 in _PyEval_Vector Python/ceval.c:2001\n #9 0x58f73fcadad6 in PyEval_EvalCode Python/ceval.c:884\n #10 0x58f73fdf316e in run_eval_code_obj Python/pythonrun.c:1365\n #11 0x58f73fdf316e in run_mod Python/pythonrun.c:1459\n #12 0x58f73fdf7e17 in pyrun_file Python/pythonrun.c:1293\n #13 0x58f73fdf7e17 in _PyRun_SimpleFileObject Python/pythonrun.c:521\n #14 0x58f73fdf893c in _PyRun_AnyFileObject Python/pythonrun.c:81\n #15 0x58f73fe6be3c in pymain_run_file_obj Modules/main.c:410\n #16 0x58f73fe6be3c in pymain_run_file Modules/main.c:429\n #17 0x58f73fe6be3c in pymain_run_python Modules/main.c:691\n #18 0x58f73fe6d71e in Py_RunMain Modules/main.c:772\n #19 0x58f73fe6d71e in pymain_main Modules/main.c:802\n #20 0x58f73fe6d71e in Py_BytesMain Modules/main.c:826\n #21 0x7adc66e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #22 0x7adc66e2a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #23 0x58f73f807634 in _start (/home/jackfromeast/Desktop/entropy/targets/grammar-afl++-latest/targets/cpython/python+0x206634) (BuildId: 4d105290d0ad566a4d6f4f7b2f05fbc9e317b533)\n\nSUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:277 in _Py_TYPE\nShadow bytes around the buggy address:\n 0x504000054800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd\n 0x504000054880: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd\n 0x504000054900: fa fa 00 00 00 00 00 05 fa fa fd fd fd fd fd fa\n 0x504000054980: fa fa 00 00 00 00 00 05 fa fa fd fd fd fd fd fa\n 0x504000054a00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa\n=\u003e0x504000054a80: fa fa fd fd fd[fd]fd fa fa fa fd fd fd fd fd fd\n 0x504000054b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x504000054b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x504000054c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x504000054c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x504000054d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==440644==ABORTING\n```\n\u003c/details\u003e\n\n### CPython versions tested on:\n\n\u003cdetails\u003e\n\n| Python Version | Status | Exit Code |\n|---|---|---|\n| `Python 3.9.24+ (heads/3.9:111bbc15b26, Oct 28 2025, 16:51:20) ` | OK | 0 |\n| `Python 3.10.19+ (heads/3.10:014261980b1, Oct 28 2025, 16:52:08) [Clang 18.1.3 (1ubuntu1)]` | OK | 0 |\n| `Python 3.11.14+ (heads/3.11:88f3f5b5f11, Oct 28 2025, 16:53:08) [Clang 18.1.3 (1ubuntu1)]` | OK | 0 |\n| `Python 3.12.12+ (heads/3.12:8cb2092bd8c, Oct 28 2025, 16:54:14) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.13.9+ (heads/3.13:9c8eade20c6, Oct 28 2025, 16:55:18) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.14.0+ (heads/3.14:2e216728038, Oct 28 2025, 16:56:16) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.15.0a1+ (heads/main:f5394c257ce, Oct 28 2025, 19:29:54) [GCC 13.3.0]` | ASAN | 1 |\n\n\u003c/details\u003e\n\n### Operating systems tested on:\n\nLinux\n\n### Output from running 'python -VV' on the command line:\n\nPython 3.15.0a1+ (heads/main:f5394c257ce, Oct 28 2025, 19:29:54) [GCC 13.3.0]\n\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-143670\n* gh-143851\n* gh-143852\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/jackfromeast","@type":"Person","name":"jackfromeast"},"datePublished":"2026-01-10T05:07:57.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/143635/cpython/issues/143635"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:5ba82dc5-8c70-8d31-9f22-7cfa57b309ea |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | EA3C:34E738:7348B:93303:696B3136 |
| html-safe-nonce | 16c0803e3a914e78bec9b631de4cd679383a82e5505844916c21ef40eb1520f3 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFQTNDOjM0RTczODo3MzQ4Qjo5MzMwMzo2OTZCMzEzNiIsInZpc2l0b3JfaWQiOiIzMjc1NjEzODM4NjM4Nzg4OTE4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 1aec5449cfa937922834762365e5ad9513efebfae354405027ad6a511f3f4215 |
| hovercard-subject-tag | issue:3799129682 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python/cpython/143635/issue_layout |
| twitter:image | https://opengraph.githubassets.com/7a8638e3b244015877c8ad9f14ee15a6c976aee3ebb5d4dd50070808ee950acb/python/cpython/issues/143635 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/7a8638e3b244015877c8ad9f14ee15a6c976aee3ebb5d4dd50070808ee950acb/python/cpython/issues/143635 |
| og:image:alt | What happened? types.GenericAlias.__repr__ walks its type arguments by borrowed pointers. A crafted argument object implements __getattr__ to clear the shared list when _Py_typing_type_repr probes ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | jackfromeast |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5f99f7c1d70f01da5b93e5ca90303359738944d8ab470e396496262c66e60b8d |
| turbo-cache-control | no-preview |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 82560a55c6b2054555076f46e683151ee28a19bc |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width