The problem is simple. The function named sys32_shmat has no reason to exist, and is broken. It assumes that user space has passed a pointer to the location where the resulting pointer should be stored. But that is not the shmat API, and glibc will pass no such parameter. So a null dereference results, leading to EFAULT. The fix is to remove this function from the code base and quite simply to wire the normal sys_shmat into the n32 syscall table. Since there is in fact no pointer-to-pointer argument, this function doesn't have a 32 bit compatibility issues.
