Kernel: Fix IoCreateFile double-deref, IoDeleteSymbolicLink handle leak, IoSynchronous* stubs

PatrickvL · PatrickvL · commit 2d014b623a98 · 2026-05-09T17:48:48.000+02:00
- IoCreateFile: null OpenPacket.FileObject after dereferencing it in the
  error path to prevent the final cleanup from dereferencing it again
  (double-free/use-after-free on file open failures)

- IoDeleteSymbolicLink: always close the Handle regardless of whether
  NtMakeTemporaryObject succeeds (handle leak on every failed symlink
  deletion, accumulating during dashboard transitions)

- IoSynchronousDeviceIoControlRequest and IoSynchronousFsdRequest: return
  X_STATUS_NOT_IMPLEMENTED instead of S_OK so games hit their error paths
  rather than reading uninitialized output buffers
diff --git a/src/core/kernel/exports/EmuKrnlIo.cpp b/src/core/kernel/exports/EmuKrnlIo.cpp
@@ -574,6 +574,7 @@ XBSYSAPI EXPORTNUM(66) xbox::ntstatus_xt NTAPI xbox::IoCreateFile
 			/* Clear the device object to invalidate the FO, and dereference */
 			OpenPacket.FileObject->DeviceObject = nullptr;
 			ObfDereferenceObject(OpenPacket.FileObject);
+			OpenPacket.FileObject = nullptr;
 		}
 	}
 	else {
@@ -681,9 +682,7 @@ XBSYSAPI EXPORTNUM(69) xbox::ntstatus_xt NTAPI xbox::IoDeleteSymbolicLink
 
 	/* Make the link temporary and close its handle */
 	result = NtMakeTemporaryObject(Handle);
-	if (X_NT_SUCCESS(result)) {
-		NtClose(Handle);
-	}
+	NtClose(Handle);
 
 	RETURN(result);
 }
@@ -1565,7 +1564,7 @@ XBSYSAPI EXPORTNUM(84) xbox::ntstatus_xt NTAPI xbox::IoSynchronousDeviceIoContro
 
 	LOG_UNIMPLEMENTED();
 
-	RETURN(S_OK);
+	RETURN(X_STATUS_NOT_IMPLEMENTED);
 }
 
 // ******************************************************************
@@ -1590,7 +1589,7 @@ XBSYSAPI EXPORTNUM(85) xbox::ntstatus_xt NTAPI xbox::IoSynchronousFsdRequest
 
 	LOG_UNIMPLEMENTED();
 
-	RETURN(S_OK);
+	RETURN(X_STATUS_NOT_IMPLEMENTED);
 }
 
 // ******************************************************************

Original file line number	Diff line number	Diff line change
`@@ -574,6 +574,7 @@ XBSYSAPI EXPORTNUM(66) xbox::ntstatus_xt NTAPI xbox::IoCreateFile`
`574`	`574`	`/* Clear the device object to invalidate the FO, and dereference */`
`575`	`575`	`OpenPacket.FileObject->DeviceObject = nullptr;`
`576`	`576`	`ObfDereferenceObject(OpenPacket.FileObject);`
	`577`	`+ OpenPacket.FileObject = nullptr;`
`577`	`578`	`}`
`578`	`579`	`}`
`579`	`580`	`else {`
`@@ -681,9 +682,7 @@ XBSYSAPI EXPORTNUM(69) xbox::ntstatus_xt NTAPI xbox::IoDeleteSymbolicLink`
`681`	`682`
`682`	`683`	`/* Make the link temporary and close its handle */`
`683`	`684`	`result = NtMakeTemporaryObject(Handle);`
`684`		`- if (X_NT_SUCCESS(result)) {`
`685`		`- NtClose(Handle);`
`686`		`- }`
	`685`	`+ NtClose(Handle);`
`687`	`686`
`688`	`687`	`RETURN(result);`
`689`	`688`	`}`
`@@ -1565,7 +1564,7 @@ XBSYSAPI EXPORTNUM(84) xbox::ntstatus_xt NTAPI xbox::IoSynchronousDeviceIoContro`
`1565`	`1564`
`1566`	`1565`	`LOG_UNIMPLEMENTED();`
`1567`	`1566`
`1568`		`- RETURN(S_OK);`
	`1567`	`+ RETURN(X_STATUS_NOT_IMPLEMENTED);`
`1569`	`1568`	`}`
`1570`	`1569`
`1571`	`1570`	`// ******************************************************************`
`@@ -1590,7 +1589,7 @@ XBSYSAPI EXPORTNUM(85) xbox::ntstatus_xt NTAPI xbox::IoSynchronousFsdRequest`
`1590`	`1589`
`1591`	`1590`	`LOG_UNIMPLEMENTED();`
`1592`	`1591`
`1593`		`- RETURN(S_OK);`
	`1592`	`+ RETURN(X_STATUS_NOT_IMPLEMENTED);`
`1594`	`1593`	`}`
`1595`	`1594`
`1596`	`1595`	`// ******************************************************************`