In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we do to our chain to handle it? It seems to me that since a push first decrements SP and only afterwards writes, it will break our chain completely: SP now points to the value pushed, and not the next gadget.
Is that correct? If so, is there a way to use gadgets with push in them?
Writing exploits is a bit like solving a puzzle where you get to make your own pieces. As long as it works it works. Of course the constraints for each vulnerable software does affect what you can and cannot successfully do. Any gadget that manipulates the stack pointer can be problematic although the pop; ret variant is reasonably safe.
As you've stated the objective is to keep control of the stack pointer unless you no longer need to. So any push needs to be countered by a pop or other increment of SP. Due to the execution following IP until the next return it's ok to decrease SP as long as you can align it before the next ret. There are some common cases where using push (pushad) in the ROP payload is a success criteria. However this is usually the last step that writes out a stack frame that pivots execution.
Using gadgets that will push esp; pop reg; ret is pretty common in DEP bypasses, here are a few examples:
If your gadgets addresses is known beforehand sending the ROP chain (i.e. a DEP without ASLR), you can also use a PUSH in a gadget, if you were able to POP into the same register before.
For example, you want to RET into address 0xDEADBEEF after your gadget that contains an annoying PUSH ECX ; you can find an arbitrary POP ECX right before, and insert into ECX, the address of your final gadget.
Your ROP chain would look like this
ADDRESS OF GADGET: .... ; POP ECX ; RET ;
VALUE TO STORE INTO ECX 0xDEADBEEF (address of final gadget)
ADDRESS OF GADGET: .... ; PUSH ECX ; RET
ADDRESS OF GADGET TO RUN AFTER THE GADGET LOCATED AT 0xDEADBEEF
