Call only asynchronous-safe functions within signal handlers. For strictly conforming programs, only the C standard library functions abort(), _Exit(), and signal() can be called from within a signal handler.
...
Noncompliant Code Example (POSIX)
The POSIX standard [Open Group 2004standard [IEEE Std 1003.1:2013] is contradictory regarding raise() in signal handlers. It prohibits signal handlers installed using signal() from calling the raise() function if the signal occurs as the result of calling the raise(), kill(), pthread_kill(), or sigqueue() functions. However, it allows the raise() function to be safely called within any signal handler. Consequently, it is not clear whether it is safe for POSIX applications to call raise() in signal handlers installed using signal(), but it is safe to call raise() in signal handlers installed using sigaction().
...
All functions not listed in this table are considered to be unsafe with respect to signals. In the presence of signals, all functions defined by IEEE standard by Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 (IEEE Std 1003.1-2001 , 2013 Edition) behave as defined when called from or interrupted by a signal handler, with a single exception: when a signal interrupts an unsafe function and the signal handler calls an unsafe function, the behavior is undefined.
...
Invoking functions that are not asynchronous-safe from within a signal handler may result in privilege escalation and other attacks.
...
| [C99 Rationale 2003] | Subclause 5.2.3, "Signals and Interrupts" Subclause 7.14.1.1, "The signal Function" |
| [Dowd 2006] | Chapter 13, "Synchronization and State" |
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, longjmpXSH, System Interfaces, raise |
| [ISO/IEC 9899:2011] | Subclause 7.14.1.1, "The signal function" |
| [Open Group 2004] | longjmp() |
| [OpenBSD] | signal() Man Page |
| [Zalewski 2001] | "Delivering Signals for Fun and Profit" |
...