diff -Nru dpdk-18.11.5/debian/changelog dpdk-18.11.5/debian/changelog
--- dpdk-18.11.5/debian/changelog	2019-11-21 14:39:22.000000000 +0000
+++ dpdk-18.11.5/debian/changelog	2020-05-12 11:41:12.000000000 +0000
@@ -1,3 +1,20 @@
+dpdk (18.11.5-0ubuntu0.19.10.2) eoan-security; urgency=medium
+
+  * SECURITY UPDATE: Integer overflow in vhost_user_set_log_base()
+    - d/p/0001-vhost-check-log-mmap-offset-and-size-overflow.patch: check
+      log mmap offset and size overflow in lib/librte_vhost/vhost_user.c.
+    - CVE-2020-10722
+  * SECURITY UPDATE: Int truncation in vhost_user_check_and_alloc_queue_pair()
+    - d/p/0002-vhost-fix-vring-index-check.patch: fix vring index check in
+      lib/librte_vhost/vhost_user.c.
+    - CVE-2020-10723
+  * SECURITY UPDATE: Missing inputs validation in Vhost-crypto
+    - d/p/0003-vhost-crypto-validate-keys-lengths.patch: validate keys
+      lengths in lib/librte_vhost/vhost_crypto.c.
+    - CVE-2020-10724
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 12 May 2020 07:41:12 -0400
+
 dpdk (18.11.5-0ubuntu0.19.10.1) eoan-security; urgency=medium
 
   * SECURITY REGRESSION: updated to 18.11.5 to fix regression in 18.11.4
diff -Nru dpdk-18.11.5/debian/patches/0001-vhost-check-log-mmap-offset-and-size-overflow.patch dpdk-18.11.5/debian/patches/0001-vhost-check-log-mmap-offset-and-size-overflow.patch
--- dpdk-18.11.5/debian/patches/0001-vhost-check-log-mmap-offset-and-size-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ dpdk-18.11.5/debian/patches/0001-vhost-check-log-mmap-offset-and-size-overflow.patch	2020-05-12 11:40:41.000000000 +0000
@@ -0,0 +1,44 @@
+From 16b2a3114b0a70050f360c60b968ce867b43295a Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 11:16:56 +0200
+Subject: [PATCH 1/3] vhost: check log mmap offset and size overflow
+
+vhost_user_set_log_base() is a message handler that is
+called to handle the VHOST_USER_SET_LOG_BASE message.
+Its payload contains a 64 bit size and offset. Both are
+added up and used as a size when calling mmap().
+
+There is no integer overflow check. If an integer overflow
+occurs a smaller memory map would be created than
+requested. Since the returned mapping is mapped as writable
+and used for logging, a memory corruption could occur.
+
+Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address")
+Cc: stable@dpdk.org
+
+This issue has been assigned CVE-2020-10722
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_user.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/librte_vhost/vhost_user.c
++++ b/lib/librte_vhost/vhost_user.c
+@@ -1534,10 +1534,10 @@ vhost_user_set_log_base(struct virtio_ne
+ 	size = msg->payload.log.mmap_size;
+ 	off  = msg->payload.log.mmap_offset;
+ 
+-	/* Don't allow mmap_offset to point outside the mmap region */
+-	if (off > size) {
++	/* Check for mmap size and offset overflow. */
++	if (off >= -size) {
+ 		RTE_LOG(ERR, VHOST_CONFIG,
+-			"log offset %#"PRIx64" exceeds log size %#"PRIx64"\n",
++			"log offset %#"PRIx64" and log size %#"PRIx64" overflow\n",
+ 			off, size);
+ 		return VH_RESULT_ERR;
+ 	}
diff -Nru dpdk-18.11.5/debian/patches/0002-vhost-fix-vring-index-check.patch dpdk-18.11.5/debian/patches/0002-vhost-fix-vring-index-check.patch
--- dpdk-18.11.5/debian/patches/0002-vhost-fix-vring-index-check.patch	1970-01-01 00:00:00.000000000 +0000
+++ dpdk-18.11.5/debian/patches/0002-vhost-fix-vring-index-check.patch	2020-05-12 11:40:49.000000000 +0000
@@ -0,0 +1,53 @@
+From 54afbd7b8b0c03928b8aef95ec95c1e9baeecb79 Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 18:17:43 +0200
+Subject: [PATCH 2/3] vhost: fix vring index check
+
+vhost_user_check_and_alloc_queue_pair() is used to extract
+a vring index from a payload. This function validates the
+index and is called early on in when performing message
+handling. Most message handlers depend on it correctly
+validating the vring index.
+
+Depending on the message type the vring index is in
+different parts of the payload. The function contains a
+switch/case for each type and copies the index. This is
+stored in a uint16. This index is then validated. Depending
+on the message, the source index is an unsigned int. If
+integer truncation occurs (uint->uint16) the top 16 bits
+of the index are never validated.
+
+When they are used later on  (e.g. in
+vhost_user_set_vring_num() or vhost_user_set_vring_addr())
+it can lead to out of bound indexing. The out of bound
+indexed data gets written to, and hence this can cause
+memory corruption.
+
+This patch fixes this vulnerability by declaring vring
+index as an unsigned int in
+vhost_user_check_and_alloc_queue_pair().
+
+Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")
+Cc: stable@dpdk.org
+
+This issue has been assigned CVE-2020-10723
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/librte_vhost/vhost_user.c
++++ b/lib/librte_vhost/vhost_user.c
+@@ -1966,7 +1966,7 @@ static int
+ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 			struct VhostUserMsg *msg)
+ {
+-	uint16_t vring_idx;
++	uint32_t vring_idx;
+ 
+ 	switch (msg->request.master) {
+ 	case VHOST_USER_SET_VRING_KICK:
diff -Nru dpdk-18.11.5/debian/patches/0003-vhost-crypto-validate-keys-lengths.patch dpdk-18.11.5/debian/patches/0003-vhost-crypto-validate-keys-lengths.patch
--- dpdk-18.11.5/debian/patches/0003-vhost-crypto-validate-keys-lengths.patch	1970-01-01 00:00:00.000000000 +0000
+++ dpdk-18.11.5/debian/patches/0003-vhost-crypto-validate-keys-lengths.patch	2020-05-12 11:40:52.000000000 +0000
@@ -0,0 +1,77 @@
+From 9b4b29435b74b3e7c3230faef8fcd23e8b5fc93b Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Tue, 21 Apr 2020 19:10:09 +0200
+Subject: [PATCH 3/3] vhost/crypto: validate keys lengths
+
+transform_cipher_param() and transform_chain_param() handle
+the payload data for the VHOST_USER_CRYPTO_CREATE_SESS
+message. These payloads have to be validated, since it
+could come from untrusted sources.
+
+Two buffers and their lenghts are defined in this payload,
+one the the auth key and one for the cipher key. But above
+functions do not validate the key length inputs, which could
+lead to read out of bounds, as buffers have static sizes of
+64 bytes for the cipher key and 512 bytes for the auth key.
+
+This patch adds necessary checks on the key length field
+before being used.
+
+Fixes: e80a98708166 ("vhost/crypto: add session message handler")
+Cc: stable@dpdk.org
+
+This issue has been assigned CVE-2020-10724
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
+Reviewed-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+---
+ lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c
+index cf01c7ebe3..8934365f2f 100644
+--- a/lib/librte_vhost/vhost_crypto.c
++++ b/lib/librte_vhost/vhost_crypto.c
+@@ -236,6 +236,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform,
+ 	if (unlikely(ret < 0))
+ 		return ret;
+ 
++	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
++		VC_LOG_DBG("Invalid cipher key length\n");
++		return -VIRTIO_CRYPTO_BADMSG;
++	}
++
+ 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ 	xform->cipher.key.length = param->cipher_key_len;
+ 	if (xform->cipher.key.length > 0)
+@@ -286,6 +291,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
+ 			&xform_cipher->cipher.algo);
+ 	if (unlikely(ret < 0))
+ 		return ret;
++
++	if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) {
++		VC_LOG_DBG("Invalid cipher key length\n");
++		return -VIRTIO_CRYPTO_BADMSG;
++	}
++
+ 	xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ 	xform_cipher->cipher.key.length = param->cipher_key_len;
+ 	xform_cipher->cipher.key.data = param->cipher_key_buf;
+@@ -300,6 +311,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms,
+ 	ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo);
+ 	if (unlikely(ret < 0))
+ 		return ret;
++
++	if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) {
++		VC_LOG_DBG("Invalid auth key length\n");
++		return -VIRTIO_CRYPTO_BADMSG;
++	}
++
+ 	xform_auth->auth.digest_length = param->digest_len;
+ 	xform_auth->auth.key.length = param->auth_key_len;
+ 	xform_auth->auth.key.data = param->auth_key_buf;
+-- 
+2.25.2
+
diff -Nru dpdk-18.11.5/debian/patches/series dpdk-18.11.5/debian/patches/series
--- dpdk-18.11.5/debian/patches/series	2019-10-30 08:11:49.000000000 +0000
+++ dpdk-18.11.5/debian/patches/series	2020-05-12 11:40:52.000000000 +0000
@@ -3,3 +3,6 @@
 0006-build-reorder-libraries-and-build-eal-before-cmdline.patch
 0007-build-use-dependency-for-libbsd-instead-of-manual-ap.patch
 avoid-as-needed-as-it-causes-overlinking.patch
+0001-vhost-check-log-mmap-offset-and-size-overflow.patch
+0002-vhost-fix-vring-index-check.patch
+0003-vhost-crypto-validate-keys-lengths.patch