I have seen that ARM uses a link register, and wondered is it unwritable by an user space malicious code?
I mean you can't do a stackoverflow attack and override the return address on the stack (like in x86).
The link register makes it slightly harder to overwrite it with the user input, but definitely not impossible. The most common reason is nested functions: if you're calling another function, you have to store the current LR somewhere since it will be clobbered by the call. The logical place for it is the stack, with the other saved registers, and that's what most compilers do. Thus, a buffer overflow still can overwrite the saved LR, and the control transfer can happen when that saved value is popped and used to "return to the caller".