In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we do to our chain to handle it? It seems to me that since a push first decrements SP and only afterwards writes, it will break our chain completely: SP now points to the value pushed, and not the next gadget.
Is that correct? If so, is there a way to use gadgets with push in them?
Writing exploits is a bit like solving a puzzle where you get to make your own pieces. As long as it works it works. Of course the constraints for each vulnerable software does affect what you can and cannot successfully do. Any gadget that manipulates the stack pointer can be problematic although the pop; ret variant is reasonably safe.
As you've stated the objective is to keep control of the stack pointer unless you no longer need to. So any push needs to be countered by a pop or other increment of SP. Due to the execution following IP until the next return it's ok to decrease SP as long as you can align it before the next ret. There are some common cases where using push (pushad) in the ROP payload is a success criteria. However this is usually the last step that writes out a stack frame that pivots execution.
Using gadgets that will push esp; pop reg; ret is pretty common in DEP bypasses, here are a few examples:
