From 4e394862ced81286bccee2be83abcb2ea99b8cf0 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Wed, 26 Feb 2020 21:33:14 +0100
Subject: [PATCH] Kernel: Disallow assigning a TTY to an arbitrary process
 group ID

It was possible to send signals to processes that you were normally not
allowed to send signals to, by calling ioctl(tty, TIOCSPGRP, targetpid)
and then generating one of the TTY-related signals on the calling
process's TTY (e.g by pressing ^C, ^Z, etc.)
---
 Kernel/TTY/TTY.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Kernel/TTY/TTY.cpp b/Kernel/TTY/TTY.cpp
index debf0f6a6e..d6e59bec53 100644
--- a/Kernel/TTY/TTY.cpp
+++ b/Kernel/TTY/TTY.cpp
@@ -291,10 +291,19 @@ int TTY::ioctl(FileDescription&, unsigned request, unsigned arg)
     case TIOCGPGRP:
         return m_pgid;
     case TIOCSPGRP:
-        // FIXME: Validate pgid fully.
         pgid = static_cast<pid_t>(arg);
-        if (pgid < 0)
+        if (pgid <= 0)
             return -EINVAL;
+        {
+            InterruptDisabler disabler;
+            auto* process = Process::from_pid(pgid);
+            if (!process)
+                return -EPERM;
+            if (pgid != process->pgid())
+                return -EPERM;
+            if (Process::current->sid() != process->sid())
+                return -EPERM;
+        }
         m_pgid = pgid;
         return 0;
     case TCGETS: