This is revision 3 of this patch.

Apply by doing
	cd /sys
	patch < vm_mmap.patch

Index: vm/vm_mmap.c
===================================================================
RCS file: /cvs/src/sys/vm/vm_mmap.c,v
retrieving revision 1.10
retrieving revision 1.13
diff -u -r1.10 -r1.13
--- vm_mmap.c	1997/11/14 20:56:08	1.10
+++ vm_mmap.c	1998/02/25 22:13:46	1.13
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vm_mmap.c,v 1.8 1997/07/25 06:03:08 mickey Exp $	*/
+/*	$OpenBSD: vm_mmap.c,v 1.13 1998/02/25 22:13:46 deraadt Exp $	*/
 /*	$NetBSD: vm_mmap.c,v 1.47 1996/03/16 23:15:23 christos Exp $	*/
 
 /*
@@ -213,8 +213,7 @@
 		if (fp->f_type != DTYPE_VNODE)
 			return (EINVAL);
 		vp = (struct vnode *)fp->f_data;
-		if (vp->v_type != VREG && vp->v_type != VCHR)
-			return (EINVAL);
+
 		/*
 		 * XXX hack to handle use of /dev/zero to map anon
 		 * memory (ala SunOS).
@@ -223,6 +222,14 @@
 			flags |= MAP_ANON;
 			goto is_anon;
 		}
+
+		/*
+		 * Only files and cdevs are mappable, and cdevs does not
+		 * provide private mappings of any kind.
+		 */
+		if (vp->v_type != VREG &&
+		    (vp->v_type != VCHR || (flags & (MAP_PRIVATE|MAP_COPY))))
+			return (EINVAL);
 		/*
 		 * Ensure that file and memory protections are
 		 * compatible.  Note that we only worry about
@@ -236,13 +243,18 @@
 		if (fp->f_flag & FREAD)
 			maxprot |= VM_PROT_READ;
 		else if (prot & PROT_READ)
+			return (EACCES);
+
+		/*
+		 * If we are sharing potential changes (either via MAP_SHARED
+		 * or via the implicit sharing of character device mappings),
+		 * and we are trying to get write permission although we
+		 * opened it without asking for it, bail out.
+		 */
+		if (((flags & MAP_SHARED) != 0 || vp->v_type == VCHR) &&
+		    (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0)
 			return (EACCES);
-		if (flags & MAP_SHARED) {
-			if (fp->f_flag & FWRITE)
-				maxprot |= VM_PROT_WRITE;
-			else if (prot & PROT_WRITE)
-				return (EACCES);
-		} else
+		else
 			maxprot |= VM_PROT_WRITE;
 		handle = (caddr_t)vp;
 	} else {