Add advisory for unbounded-spsc: Sender::send transmute UAF under tx/rx race

[berkant-koc]

Resubmission of the unbounded-spsc half of #2882, split per @djc's review and trimmed.

Sender::send (single-file crate, src/lib.rs:379-405 in 0.2.0 / commit 23a9ce7) transmutes *mut Producer<T> (a pointer, 8 bytes on 64-bit) into the bytes of a value-level Consumer<T>. The resulting Consumer::buffer.ptr is the address of a field on the Sender, not the real ArcInner<Buffer<T>>. consumer.try_pop() then reads Buffer<T> offsets that lie inside the Sender<T> frame (OOB), and Drop for the fake Arc calls dealloc on a non-allocated address.

Branch is only reachable single-threaded if the receiver-drop / connected = false guard is bypassed; the trigger is a TOCTOU race between Sender::send's connected.load() and Receiver::drop's compare_exchange(_, DISCONNECTED, ...). The author's own test suite carries a TODO at src/lib.rs:975 referencing the same assert that fires in the buggy path — the symptom was observed but misclassified.

The companion oneringbuf advisory is filed separately as a sibling PR.

Closes prior #2882 (superseded by this + the oneringbuf PR).

[djc]

Do you have approval from the maintainer to publish this?

[berkant-koc]

Same — closing per your point on #2883. The private channel here bounced (spearman@gitlab.com is a dead address), so I opened spearman/unbounded-spsc#4 asking the maintainer to enable private vulnerability reporting or supply an alternate contact. Will reopen this advisory PR once the maintainer has engaged, or after a 30-day attempt window.